Open Redirect


Open redirect 🐟 refer to an endpoint such as used to redirect users, but that do not check, or not correctly check where the user is redirected.

Some CRM tools such as HubSpot redirect links in emails to pass through their website to trace when the link was clicked/... for the company to analyze their email campaigns. It's common for websites to use redirections for analytics.

It's mainly used for phishing 🎣 by making users click on a link to a domain they trust, while not seeing that the link is actually exploited to redirect to a malicious website.

https://[...]?xxx=some_url $\to$ https://[...]?xxx=malicious_url

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • encode malicious URL as hexadecimal to try filter by-passing