You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* URL patterns that commonly lead to open redirect. <br>
<b>Payload file Usage:</b> <br>
Replace {target} with ip or hostname and path, Examples: <br>
<b>Usage:</b> <br>
Replace {target} in files with ip or hostname and path, Examples: <br>
* evil.com <br>
* evil.com/badurl<br>
* 1.2.3.4 <br>
* 134744072<br>
<b>Filter bypass testing techniques:</b><br>
<b>Testing techniques:</b><br>
Filter Bypass
* If periods are being stripped by the filter so that evil.com becomes evilcom, try converting the ip address to decimal notation form.
http://www.geektools.com/geektools-cgi/ipconv.cgi
* Try URL-encoding the replacement value for {target}
Other Issues
* If redirect.injection.template.txt usage results in the server proxying a request to the injected URL and returning its contents instead of redirecting to it, explore how this could be used to explore the servers localhost ports for web services, protected systems in a DMZ, interact through GET requests/REST interfaces, etc.
