> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/open-redirect.md).
# Open Redirect
***
Occur when a target visits a website and that website **sends their browser to a different URL**, potentially on a separate domain. Open redirects **exploit the trust of a given domain to lure targets to a malicious website**.
An attacker can also use **JavaScript** to redirect users by modifying the window’s location property through the Document Object Model (DOM). The DOM is an API for HTML and XML documents that allows developers to modify the structure, style, and content of a web page.Because the location property denotes where a request should be redirected to, browsers will immediately interpret this JavaScript and redirect to the specified URL:
```js
window.location = http://evil.com
window.location.href = "http://evil.com"
window.location.replace(http://evil.com)
```
## Example Payloads
### Using \ Tag:
```html
```
The content attribute defines how browsers make an HTTP request in two ways. First, the content attribute defines how long the browser waits before making the HTTP request to the URL; in this case, 0 seconds. Secondly, the content attribute specifies the URL parameter in the website the browser makes the GET request to.
## Providing a malicious domain:
`http://mystore.myshopify.com/account/login?checkout_url=.attacker.com`
### They would have been redirected to the URL
`http://mystore.myshopify`
They would have been redirected to the URL\*\*\.com\*\*, which isn’t a Shopify domain. Because the URL ends in .\.com and DNS lookups use the right- most domain label, the redirect goes to the \.com domain. So when `http://mystore.myshopify.com..com` is submitted for DNS lookup, it will match on \.com, which Shopify doesn’t own, and not myshopify.com as Shopify would have intended. Although an attacker wouldn’t be able to freely send a target anywhere, they could send a user to another domain by adding special characters, such as a period, to the values they can manipulate.
## Takeaways
> If you can only control a portion of the final URL used by a site, adding special URL characters might change the meaning of the URL and redirect a user to another domain. Let’s say you can only control the checkout\_url parameter value, and you also notice that the parameter is being combined with a hardcoded URL on the backend of the site, such as the store URL Try adding special URL characters, like a period or the @ symbol, to test whether you can control the redirected location.
## Payloads
```txt
/redirect.php?url=https://
/redirect.php?url=//
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://zeyad-abulaban.gitbook.io/notes/web-penetration-testing/web-vulns/open-redirect.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.