This is a redirection vulnerability, you know when you go on a site, scroll around a bit and when you maybe want to download what you’ve done like on some image editing sites, they tell you to login first?, well the site after you login will take you just back to where you were before so that you can continue from where you stopped, but this time around , while logged in.

The url can be something like this https://example.com/loginredirect=https://example.com/dashboard , now this checks if you are loged in, and if you are, takes you to the dashboard, but now an attacker can change that second url to attacker.com and the moment you log in, you’ll be taken to the attackers site, which might be made to look like your intended page?. This is just one way redirects work.

STEP 1:

There’s also something known as referrer based redirects, where the referrer ins included in the http request, the referrer is the webpage that sent you to the current place you are now on that site ( login page), so lets say you were selecting images and when you want to download , you were taken to the login page, that previous page you were selecting images on , automatically becomes your referrer , hence once you login, you’ll be sent back to that page, but now if the legit website does not create like an allowlist of domain names, or implements same origin protocol, then an attacker may put the link to the legit’s site’s login page on his own page, and when you click that link, now that attackers page has automatically become your referrer , and after logging in, you’ll be sent back there, and it might be made to look legit, hence making you trust it more .

LOOKING FOR REDIRECT PARAMETERS:

you need to know as many redirect parameters, you can explore a site to see if you’re redirected, if yes, then how?, what does the url look like ?, here are a few common parameters login?redirect=

login?redir= login?forward= login?next= , you can also you google dorks to find more.

Now that you’ve found redirects, try changing the host name it’s redirecting to and see if it works

test for referrer based redirects , by hosting a small site and testing if your site is set as the referrer to your target site and it redirects back to your site after login.

Pages that don’t have these referral tags in their url but still redirect are potential candidates for referrer based open redirect attacks, look out for 300, 301, 302, error codes as they mean redirected.

USING GOOGLE DORKS (STEP 2):

To find open redirect opportunities and urls using google dorking we can use

site: example.com this specifies the site i’m testing, i can look for things in the URL like “=” and “ /” signs , using their url encoded formats . for = we have %3D for / we have %2F so your dork can look like this inurl: %3D%2F site:example.com this can find a url like this : https://example.com/login?n=/dashboard , these can be used to find both absolute and relative urls, absolute urls show the full url its been redirected to, whle relative only shows a slash and the page .

Also we can search for common url redirect parameters , example:

inurl:return site:example.com inurl:returnurl site:example.com inurl:relaystate site:example.com inurl:forward site:example.com inurl:forwardurl site:example.com inurl:forward_url site:example.com

There are many more, depending on which you wish to test with.

STEP 3:

Now let’s say we have found targets for parameter based open redirects , for example https://example.com/login?n=/dashboard as we can see the condition for a redirect is to login, now change the destination to another site , that you own or just another site and see if you’re redirected there after logging in, example : [<https://example.com/login?n=>](<https://example.com/login?n=/dashboard>)<https://attacker.com>

STEP 4: