Three Cases, Three Open Redirect Bypasses

Mohammed Eldeeb
Apr 22, 2018 · 2 min read

Hello,

today i will write about three cases i faced and i manged to bypass the redirect in all

Introduction into bypass redirect :

in all redirect cases i look into different areas

1- before the http protocol so we can use attacker.com/http://mytarget.com

2- in www area and before the redirect domain (i will take about )

3- is after the .com so we can use @

4- after the port for example www.target.com:attacker.com

in this three areas we can bypass the redirection (not in all)

#Case 1:

in this case the there was a redirect parameter called ?redirect= redirect to http://www.mytarget.com , i found that i can play only with www

so i tried to www.evil.com.mytarget.com but not worked , so i tried to look into what characters allowed that i could use to make break between mytarget and evil.com , i found that backslash is allowed here so i made http://www.evil.com\\mytarget.com , not worked also i was getting Forbidden response , after some time i realized that i have to put .mytarget

so the final URL was http://www.evil.com\\.mytarget.com and i get redirect to evil.com domain

#Case 2:

in this case there was a parameter called ?ref= that redirect users to the main domain , i found that i can play with www so it looks the same as case 1 for me , However it’s different way

the parameter not accept any character that we can use to make break as we do in case 1 , after sometime i got an idea that we can deceive our target and it was @ , if i put http://attacker.com@mytarget.com it accept it so as we do in case 1 http://attacker.com\\@mytarget.com , oh i forget that i will get redirect to @mytarget.com in the final destination , what can i do here?

what about @attacker.com\\@mytarget.com ? yes it worked and the final URL was https://@attacker.com\\@mytargt.com and we getting redirect to https://attacker.com//mytarget.com

#Case 3:

in this case i used https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect

the redirect endpoint was ?redirect=https://mytarget.com , you think we can use anything like case 1 or 2 ? no all i used in the previous cases not accepted here, so after i look into the above link , i can use only “%E3%80%82” to bypass “.” blacklisted character , the %E3%80%82 it makes new line /space

the final URL was https://attacker.com%E3%80%82.mytarget.com

and we get redirect to https://attacker.com mytarget.com

I hope you enjoyed this reading,

Happy Hunting!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store