Open in app

Sign in

Write

Sign in

HOW TO FIND OPEN REDIRECT EASILY ???

Josekutty Kunnelthazhe Binu
3 min readSep 15, 2024

--

Holaaa amigos today l will show you how to easily check for open redirect vulnerability. Let’s directly jump into the main stuff.

What is Open Redirect ???

An Open Redirect is a security flaw on a website that lets attackers change the destination of a link. Instead of taking a user to the intended site, the attacker can redirect them to a malicious website. This can be used to steal information or spread malware.

Impacts of Open Redirect ???

1. Attackers can redirect users to malicious websites.

2. Loss of trust to the company

3. Attackers can spread malware exploiting this vulnerability.

How to easily find this ???

1. Go to the target website which you are hunting.

2. Then check the main functions of the website like account creation, login, password reset etc.. concentrate on the url which checking the functions.

3. If you come across some url with a parameter (ex: https:google.com/test?=) you can test by adding https://evil.com after = symbol.

IF THE WEBSITE IS TAKING YOU TO https://evil.com THEN THEIR IS OPEN REDIRECT VULNERABILITY.

Real world POC example for better understanding:

I found this vulnerability on the login page of a target and the url was this:

https://preview-developer.redacted.com/Identity/Account/Login?ReturnUrl=

I added the payload https://evil.com and the new url was looking like this:

https://preview-developer.redacted.com/Identity/Account/Login?ReturnUrl=https://evil.com

Boom I was taken to https://evil.com, you can use any other url instead of https://evil.com you will be redirected to the website you are adding on the parameter section.

Things to note while hunting ???

Always try to find this on sensitive endpoints like login, signup, password reset etc that makes the issue more critical.

I hope you got an idea on how open redirect works and how to find this in real world applications. Thanksss for reading………

#OpenRedirect #BugBounty #WebSecurity #EthicalHacking #PenetrationTesting #BugHunting #CyberSecurity #AppSec #SecurityVulnerability #Infosec #WebVulnerability #EthicalHacker #SecurityResearch #ThreatHunting #MediumWriteup

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Bug Bounty Tips
Threat Hunting
Threat Intelligence
Bug Bounty
Cybersecurity

--

--

Josekutty Kunnelthazhe Binu
Josekutty Kunnelthazhe Binu

Written by Josekutty Kunnelthazhe Binu

281 Followers
47 Following

Cybersecurity Researcher | Bug Bounty Hunter | CEH v12 | CNSP | CAP

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech