Story of bypassing Referer Header to make open redirect

Mohammed Eldeeb
Nov 22, 2017 · 1 min read

Hi all,

today i will write about bypass Referer Header to make open redirect

i was testing private program and i was working on one of this program subdomains let’s say

i run dirbuster to see if there is any interesting endpoint and i found some endpoints and let’s say it /endpoint after that i found that subdomain can redirect us to the main domain through this endpoint /endpoint/clkn/http/

i tried to change the main domain to any other domain it was work but unfortunately was Referer Header protection to prevent this , i searched on google but i did not find anything after that i asked people on slack but no idea so i said to my self let’s try harder

i said to my self let’s try to put the Referer as the link that we will redirect to , i made this and deleted the Referer Header and WOW! It worked without Referer Header

now let’s try the url unfortunately if i changed anything on the link i got message We’re sorry, but the link you followed appears to be invalid.

after some tries i looked to this tweet

and i put only one character so it was like this /endpoint/clkn/http/t-Ô

and in response i got redirect to Location: http://t-?

woho we are in T Host now !

try harder .. you will get what you want


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store