TOPOPENREDIRECT.md

Top Open Redirect reports from HackerOne:

1. [cs.money] Open Redirect Leads to Account Takeover to CS Money - 334 upvotes, $750
2. XSS and Open Redirect on MoPub Login to Twitter - 225 upvotes, $1540
3. Open Redirect in secure.showmax.com to Showmax - 222 upvotes, $550
4. Open redirect at https://inventory.upserve.com/http://google.com/ to Upserve - 159 upvotes, $1200
5. Open Redirect on central.uber.com allows for account takeover to Uber - 127 upvotes, $8000
6. Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect to Twitter - 86 upvotes, $1120
7. Open redirect vulnerability to Rockstar Games - 80 upvotes, $250
8. Open redirect to Nord Security - 79 upvotes, $500
9. Open Redirect to Affirm - 70 upvotes, $250
10. Reflected XSS & Open Redirect at mcs main domain to Mail.ru - 67 upvotes, $1000
11. [dev.twitter.com] XSS and Open Redirect to Twitter - 66 upvotes, $1120
12. Open Redirect to Omise - 62 upvotes, $100
13. Open redirection at https://chaturbate.com/auth/login/ to Chaturbate - 54 upvotes, $200
14. Open Redirection in index.php page to HackerOne - 52 upvotes, $250
15. Google API key leaks and security misconfiguration leads Open Redirect Vulnerability to Clario - 51 upvotes, $300
16. Open Redirection in Login - Korean Starbucks to Starbucks - 51 upvotes, $0
17. Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io to HackerOne - 51 upvotes, $0
18. [crm.unikrn.com] Open Redirect to Unikrn - 49 upvotes, $50
19. Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com to Twitter - 49 upvotes, $0
20. Reflected xss and open redirect on larksuite.com using /?back_uri= parameter. to Lark Technologies - 46 upvotes, $500
21. Open redirect using theme install to Shopify - 45 upvotes, $500
22. Open redirect vuln on login to Vercel - 45 upvotes, $0
23. [dev.twitter.com] XSS and Open Redirect Protection Bypass to Twitter - 43 upvotes, $1120
24. Open redirect on https://hq-api.upserve.com/ to Upserve - 42 upvotes, $1000
25. (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
26. Open Redirect to Twitter - 40 upvotes, $420
27. [keybase.io] Open Redirect to Keybase - 39 upvotes, $500
28. Open redirect vulnerability in index.php to HackerOne - 39 upvotes, $0
29. Open redirect protection (https://www.pixiv.net/jump.php) is broken for novels to pixiv - 38 upvotes, $200
30. http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement to Nextcloud - 37 upvotes, $0
31. (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 36 upvotes, $1000
32. Open Redirect filter bypass through '' character via URL parameter to Myndr - 36 upvotes, $0
33. Open Redirect Vulnerability on TikTok Ads Portal to TikTok - 36 upvotes, $0
34. Host Header Injection leads to Open Redirect and Content Spoofing or Text Injection. to Omise - 35 upvotes, $300
35. Open Redirect on Gitllab Oauth leading to Acount Takeover to Vercel - 34 upvotes, $0
36. Open Redirection in [https://www.hackerone.com/index.php] to HackerOne - 32 upvotes, $0
37. GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=] to Logitech - 31 upvotes, $100
38. [http2.cloudflare.com] Open Redirect to Cloudflare Vulnerability Disclosure - 31 upvotes, $0
39. Bypassing Content-Security-Policy leads to open-redirect and iframe xss to Stripo Inc - 31 upvotes, $0
40. Open Redirect on https://go.bitwala.com/ to Nuri - 29 upvotes, $0
41. Open redirect in bulk edit to Shopify - 28 upvotes, $500
42. Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 28 upvotes, $400
43. Open redirect bypass & SSRF Security Vulnerability to Smule - 28 upvotes, $0
44. Open Redirect и подмена ссылки в сниппете приложения VKMA to VK.com - 27 upvotes, $300
45. Open Redirect through POST Request in OAuth to Moneybird - 27 upvotes, $50
46. Open Redirect via login avito.ru | Protection bypass to Avito - 27 upvotes, $0
47. Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl] to Radancy - 25 upvotes, $350
48. Open Redirect at https://oauth.secure.pixiv.net to pixiv - 25 upvotes, $200
49. [idp.fr.cloud.gov] Open Redirect to GSA Bounty - 25 upvotes, $150
50. Open Redirection while saving User account Settings to Moneybird - 25 upvotes, $50
51. Open redirect on the https://tt.hboeck.de to Hanno's projects - 25 upvotes, $0
52. Open Redirect TO Stealing aadvid to TikTok - 24 upvotes, $500
53. Open Redirect Protection Bypass to Twitter - 24 upvotes, $280
54. Open redirect on chaturbate.com (tipping/purchase_success) to Chaturbate - 24 upvotes, $250
55. Open redirect in semrush.com to Semrush - 23 upvotes, $150
56. Open redirect on https://signin.rockstargames.com/connect/authorize/rsg to Rockstar Games - 23 upvotes, $150
57. Open Redirect at *.myshopify.com/account/login?checkout_url= to Shopify - 22 upvotes, $500
58. Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session to HackerOne - 22 upvotes, $500
59. open redirect while login at https://apps.dev.jupiterone.io can leak access code. to LifeOmic - 22 upvotes, $350
60. Steal any users access_token via open redirect in https://streamlabs.com/global/identity?popup=1&r= to Logitech - 22 upvotes, $200
61. Open Redirect to Semrush - 22 upvotes, $100
62. Open redirect at app.goodhire.com via ReturnUrl parameter to Inflection - 21 upvotes, $750
63. Instant open redirect on Live preview WEB Ide opening to GitLab - 20 upvotes, $1000
64. CBC "cut and paste" attack may cause Open Redirect(even XSS) to Uber - 20 upvotes, $500
65. use of unsafe host header leads to open redirect to Rockstar Games - 20 upvotes, $300
66. Open redirect in https://www.rockstargames.com/GTAOnline/restricted-content/agegate/form may lead to Facebook OAuth token theft to Rockstar Games - 19 upvotes, $750
67. Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor to Shopify - 19 upvotes, $500
68. Open Redirect through POST Request to Inflection - 18 upvotes, $350
69. Open redirect в карусели сообщения бота to VK.com - 18 upvotes, $300
70. Open Redirection leads to redirect Users to malicious website to Unikrn - 18 upvotes, $50
71. Open redirection to New Relic - 18 upvotes, $0
72. Open Redirect on smule.com to Smule - 18 upvotes, $0
73. Open Redirect (6.0.0 < rails < 6.0.3.2) to Ruby on Rails - 17 upvotes, $1000
74. Open Redirect to Inflection - 17 upvotes, $350
75. Open Redirect - www.shopify.com to Shopify - 17 upvotes, $0
76. Open redirect using checkout_url to Shopify - 16 upvotes, $500
77. XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth to Mapbox - 16 upvotes, $500
78. [intensedebate.com] Open Redirect to Automattic - 16 upvotes, $75
79. Open redirect on https://blog.fuzzing-project.org to Hanno's projects - 16 upvotes, $0
80. Open Redirect to Mail.ru - 16 upvotes, $0
81. Open redirect affecting m.rockstargames.com/ to Rockstar Games - 15 upvotes, $750
82. Open Redirection Vulnerability in m.vk.com to VK.com - 15 upvotes, $300
83. Limited Open redirection using SSO-SAML to HackerOne - 15 upvotes, $0
84. [https://█████████/]&&[https://█████████/] Open Redirection to Lyst - 14 upvotes, $300
85. Open Redirect on the nl.wordpress.net to WordPress - 14 upvotes, $50
86. https://xmpp.nextcloud.com///;@www.google.com allows open redirect to Nextcloud - 14 upvotes, $0
87. Open Redirect on Login Page of Stocky App to Shopify - 14 upvotes, $0
88. Open redirect on marketing site to Shipt - 13 upvotes, $50
89. Open Redirect on [My.com] to Mail.ru - 13 upvotes, $0
90. [apps.shopify.com] Open Redirect to Shopify - 12 upvotes, $500
91. Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) to LocalTapiola - 12 upvotes, $450
92. Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) to Starbucks - 12 upvotes, $375
93. open redirect in eb9f.pivcac.prod.login.gov to GSA Bounty - 12 upvotes, $150
94. open redirect in <your_zendesk>.zendesk.com to Zendesk - 12 upvotes, $100
95. Open redirect on https://werkenbijdefensie.nl/ to Radancy - 12 upvotes, $50
96. (BYPASS) Open Redirect after login at http://ecommerce.shopify.com to Shopify - 11 upvotes, $500
97. Open Redirect on slack.com to Slack - 11 upvotes, $500
98. Open redirect на мобильной версии в контакте (m.vk.com to VK.com - 11 upvotes, $300
99. Open Redirect in unifi.ubnt.com [Controller Finder] to Ubiquiti Inc. - 11 upvotes, $260
100. Stored open redirect in about page to Flickr - 11 upvotes, $150
101. Open Redirect located at https://www.robinhood.com/oauth2/authorize/? to Robinhood - 11 upvotes, $100
102. Goodhire Open Redirect to Inflection - 11 upvotes, $0
103. Open Redirect In passport.maps.me/logout/?next=//fb.com/ to Mail.ru - 11 upvotes, $0
104. Open redirect on rush.uber.com, business.uber.com, and help.uber.com to Uber - 10 upvotes, $500
105. Open Redirect bypass and cookie leakage on www.lahitapiola.com to LocalTapiola - 10 upvotes, $400
106. Open redirect in securegatewayaccess.com / secure.chaturbate.com via prejoin_data parameter to Chaturbate - 10 upvotes, $250
107. [hekto] open redirect when target domain name is used as html filename on server to Node.js third-party modules - 10 upvotes, $0
108. Open Redirect On Your Login Panel to Zomato - 10 upvotes, $0
109. Open redirect open.rocket.chat/file-upload/ID/filename.svg to Rocket.Chat - 10 upvotes, $0
110. Open redirect by the parameter redirectUri in the URL to BlackRock - 10 upvotes, $0
111. Open redirection in OAuth to Shopify - 9 upvotes, $500
112. Open Redirect in m.uber.com to Uber - 9 upvotes, $500
113. Open Redirect in riders.uber.com to Uber - 9 upvotes, $500
114. Open redirect GET-Based on https://www.flickr.com/browser/upgrade/?continue= to Flickr - 9 upvotes, $150
115. [admin.c2fo.com] Open Redirect to C2FO - 9 upvotes, $0
116. Open redirection in OAuth to Shopify - 9 upvotes, $0
117. [Fix Bypass #541631] Open redirect on Signup to Vercel - 9 upvotes, $0
118. Open Redirect in the Path of vendhq.com to Vend VDP - 9 upvotes, $0
119. Open Redirect on Greater Asia domains to Starbucks - 9 upvotes, $0
120. Open Redirect in www.shopify.dev Environment to Shopify - 9 upvotes, $0
121. Open redirect in "Language change". to HackerOne - 8 upvotes, $500
122. Open Redirection on Uber.com to Uber - 8 upvotes, $500
123. Open redirection protection bypass (/cs/Satellite) to LocalTapiola - 8 upvotes, $400
124. Open redirect helps to steal Facebook access_token to Bumble - 8 upvotes, $153
125. Open Redirect in <customer>.greenhouse.io to Greenhouse.io - 8 upvotes, $100
126. Open Redirection Found in users.whisper.sh to Whisper - 8 upvotes, $30
127. Open redirect vulnerability to Slack - 8 upvotes, $0
128. [zaption.com] Open Redirect to Zaption - 8 upvotes, $0
129. [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect to Informatica - 8 upvotes, $0
130. [connect.teavana.com] Open Redirect and abuse of connect.teavana.com to Starbucks - 8 upvotes, $0
131. Reflected XSS via Unvalidated / Open Redirect in uber.com to Uber - 7 upvotes, $3000
132. XSS and open redirect in verkkopalvelu.lahitapiola.fi to LocalTapiola - 7 upvotes, $450
133. [BuddyPress 2.9.1] Open Redirect via "wp_http_referer" parameter on "bp-profile-edit" endpoint to WordPress - 7 upvotes, $275
134. Open Redirect in meeting.qiwi.com to QIWI - 7 upvotes, $100
135. Open redirect (DOM-based) on av.ru via "return_url" parameter (Login form) to Azbuka Vkusa - 7 upvotes, $100
136. [cooking.lady.mail.ru] Open Redirect to Mail.ru - 7 upvotes, $0
137. Open Redirect in shopify app URL to Shopify - 7 upvotes, $0
138. Open Redirection on auth.rbk.money to RBKmoney - 7 upvotes, $0
139. Open redirection in https://zeit.co/login?next= to Vercel - 7 upvotes, $0
140. Open Redirect in comment section to ExpressionEngine - 7 upvotes, $0
141. [Bypass] Code injection to open redirect in https://insights.newrelic.com/accounts/2521182/dashboards/1026927 to New Relic - 7 upvotes, $0
142. Potential Open-Redirection to Ian Dunn - 7 upvotes, $0
143. Hong Kong - Open Redirect on card.starbucks.com.hk to Starbucks - 7 upvotes, $0
144. Open redirection bypass in /www/admin/campaign-modify.php to Revive Adserver - 7 upvotes, $0
145. Open Redirect on https://██.8x8.com/login?nextPage=%2F to 8x8 - 7 upvotes, $0
146. Open Redirect possible in https://www.shopify.com/admin/ to Shopify - 6 upvotes, $500
147. Open redirection on login to New Relic - 6 upvotes, $0
148. [rabota.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
149. [ml.money.mail.ru] Open Redirect to Mail.ru - 6 upvotes, $0
150. [qpt.mail.ru] CRLF Injection / Open Redirect to Mail.ru - 6 upvotes, $0
151. Open Redirection at https://it.mail.ru/ to Mail.ru - 6 upvotes, $0
152. Open Redirect at "city-mobil.ru" to Mail.ru - 6 upvotes, $0
153. Open Redirect and CRLF Injection Leads to XSS on [app.doma.uchi.ru] to Mail.ru - 6 upvotes, $0
154. OPEN REDIRECT to Nutanix - 6 upvotes, $0
155. Open Redirector via (apps/files_pdfviewer) for un-authenticated users. to ownCloud - 5 upvotes, $150
156. [status.zopim.com] Open Redirect to Zendesk - 5 upvotes, $100
157. Open Redirect vulnerability in moneybird.com to Moneybird - 5 upvotes, $50
158. [skyliner.io / qa.skyliner.io] Open Redirect to Skyliner - 5 upvotes, $0
159. Open Redirect in a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
160. Open Redirect to Mail.ru - 5 upvotes, $0
161. Open-redirect on login.xero.com to Xero - 5 upvotes, $0
162. Open Redirect to Mail.ru - 5 upvotes, $0
163. Open redirect while disconnecting authenticated account to Weblate - 5 upvotes, $0
164. Open redirect while disconnecting Email to Weblate - 5 upvotes, $0
165. Open redirects protection bypass to ExpressionEngine - 5 upvotes, $0
166. Open redirect vulnerability in a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
167. Open redirect deceive in hackerone.com via another open redirect link. to HackerOne - 5 upvotes, $0
168. open redirect in rfc6749 to Internet Bug Bounty - 4 upvotes, $3000
169. Open Redirect after login at http://ecommerce.shopify.com to Shopify - 4 upvotes, $500
170. [qiwi.com] Open Redirect to QIWI - 4 upvotes, $150
171. Unvalidated / Open Redirect to Zendesk - 4 upvotes, $100
172. Open-redirect on paragonie.com to Paragon Initiative Enterprises - 4 upvotes, $50
173. Open redirection bypass to New Relic - 4 upvotes, $0
174. [marketplace.informatica.com] Open Redirect to Informatica - 4 upvotes, $0
175. Login Open Redirect to New Relic - 4 upvotes, $0
176. [Repository Import] Open Redirect via "continue[to]" parameter to GitLab - 4 upvotes, $0
177. Cross Site Scripting and Open Redirect in affiliate-preview.php file to Revive Adserver - 4 upvotes, $0
178. Open Redirect at https://www.nutanix.com/tw/login via icid parameter to Nutanix - 4 upvotes, $0
179. Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) to LocalTapiola - 3 upvotes, $400
180. Open Redirection In connect.identity.stagaws.visma.com to Visma Public - 3 upvotes, $100
181. CPU utilization 99% on visiting wordpress site url & open redirect found to Automattic - 3 upvotes, $75
182. WebSummit - Open Redirect to WebSummit - 3 upvotes, $0
183. Open redirection to New Relic - 3 upvotes, $0
184. Open redirection bypass . to New Relic - 3 upvotes, $0
185. [api.login.icq.net] Open Redirect to Mail.ru - 3 upvotes, $0
186. [it.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
187. Open Redirect to New Relic - 3 upvotes, $0
188. Open redirect to GitLab - 3 upvotes, $0
189. Open Redirect via "next" parameter in third-party authentication to Weblate - 3 upvotes, $0
190. Open redirect on sign in to Coinbase - 3 upvotes, $0
191. [tanks.mail.ru] Open Redirect to Mail.ru - 3 upvotes, $0
192. Open redirect in switch account functionality to Revive Adserver - 3 upvotes, $0
193. Open Redirect leak of authenticity_token lead to full account take over. to Twitter - 2 upvotes, $1400
194. Trick make all fixed open redirect links vulnerable again to Slack - 2 upvotes, $1000
195. Open-redirect on hackerone.com to HackerOne - 2 upvotes, $500
196. Host Header is not validated resulting in Open Redirect to IRCCloud - 2 upvotes, $100
197. Open redirect - user interaction needed (verkkopalvelu.lahitapiola.fi/e2/..) - based on #179328 to LocalTapiola - 2 upvotes, $100
198. Open Redirection in SmartHistory KhanAcademy to Khan Academy - 2 upvotes, $0
199. Open Redirect via Request-URI to Yahoo! - 2 upvotes, $0
200. XSS and Open Redirect on https://jobs.dubizzle.com/ to OLX - 2 upvotes, $0
201. open redirection at login to New Relic - 2 upvotes, $0
202. Open redirect in Signing in via Social Sites to Weblate - 2 upvotes, $0
203. owncloud.com open redirect to ownCloud - 2 upvotes, $0
204. OPEN REDIRECTION at every 302 HTTP CODE to Brave Software - 2 upvotes, $0
205. Open redirect in Serendipity (exit.php) to Hanno's projects - 2 upvotes, $0
206. China - Open redirect at trackinghub.starbucks.com.cn to Starbucks - 2 upvotes, $0
207. Open redirection on secure.phabricator.com to Phabricator - 1 upvotes, $400
208. Open redirection in fabric.io to Twitter - 1 upvotes, $280
209. Open Redirect login account to Slack - 1 upvotes, $100
210. Open redirect filter bypass to Zaption - 1 upvotes, $25
211. Yahoo open redirect using ad to Yahoo! - 1 upvotes, $0
212. https://www.khanacademy.org/login open-redirect to Khan Academy - 1 upvotes, $0
213. open redirect in https://slack.com to Slack - 1 upvotes, $0
214. Open Redirection to Urban Dictionary - 1 upvotes, $0
215. Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her] to Adobe - 1 upvotes, $0
216. Open Redirect on [blog.wavecell.com] to 8x8 - 1 upvotes, $0
217. Open redirect in ck.php and lg.php to Revive Adserver - 1 upvotes, $0
218. Vulnerability Name: URL Redirection / Unvalidate Open Redirect to Reddit - 1 upvotes, $0
219. open redirect sends authenticity_token to any website or (ip address) to Twitter - 0 upvotes, $560
220. Open Redirect to WePay - 0 upvotes, $300
221. OAuth open redirect to Respondly - 0 upvotes, $0
222. Open redirect on tw.money.yahoo.com to Yahoo! - 0 upvotes, $0
223. open redirect to RelateIQ - 0 upvotes, $0
224. Open Redirect in Slack to Slack - 0 upvotes, $0
225. Open Redirect in WordPress Feed Statistics {Affected All Versions} to Automattic - 0 upvotes, $0
226. oauth redirect uri validation bug leads to open redirect and account compromise to WePay - 0 upvotes, $0
227. Open Redirection Security Filter bypassed to Vimeo - 0 upvotes, $0
228. Open redirect in fastify-static via mishandled user's input when attempt to redirect to Fastify - 0 upvotes, $0