Three Cases, Three Open Redirect Bypasses

Hello,

today i will write about three cases i faced and i manged to bypass the redirect in all

Introduction into bypass redirect :

in all redirect cases i look into different areas

1- before the http protocol so we can use attacker.com/http://mytarget.com

2- in www area and before the redirect domain (i will take about )

3- is after the .com so we can use @

4- after the port for example www.target.com:attacker.com

in this three areas we can bypass the redirection (not in all)

#Case 1:

in this case the there was a redirect parameter called ?redirect= redirect to http://www.mytarget.com , i found that i can play only with www

so i tried to www.evil.com.mytarget.com but not worked , so i tried to look into what characters allowed that i could use to make break between mytarget and evil.com , i found that backslash is allowed here so i made http://www.evil.com\\mytarget.com , not worked also i was getting Forbidden response , after some time i realized that i have to put .mytarget

so the final URL was http://www.evil.com\\.mytarget.com and i get redirect to evil.com domain

#Case 2:

in this case there was a parameter called ?ref= that redirect users to the main domain , i found that i can play with www so it looks the same as case 1 for me , However it’s different way

the parameter not accept any character that we can use to make break as we do in case 1 , after sometime i got an idea that we can deceive our target and it was @ , if i put http://attacker.com@mytarget.com it accept it so as we do in case 1 http://attacker.com\\@mytarget.com , oh i forget that i will get redirect to @mytarget.com in the final destination , what can i do here?

what about @attacker.com\\@mytarget.com ? yes it worked and the final URL was https://@attacker.com\\@mytargt.com and we getting redirect to https://attacker.com//mytarget.com

#Case 3:

in this case i used https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect

the redirect endpoint was ?redirect=https://mytarget.com , you think we can use anything like case 1 or 2 ? no all i used in the previous cases not accepted here, so after i look into the above link , i can use only “%E3%80%82” to bypass “.” blacklisted character , the %E3%80%82 it makes new line /space

the final URL was https://attacker.com%E3%80%82.mytarget.com

and we get redirect to https://attacker.com mytarget.com

I hope you enjoyed this reading,

Happy Hunting!