A fast, modern open redirect vulnerability scanner written in Go using ChromeDP for headless browser automation.
- Modern Stack: Built with Go and ChromeDP (headless Chrome)
- Fast Scanning: Concurrent workers for parallel testing
- Docker Support: Pre-configured Docker setup for easy deployment
- Customizable: Flexible payload lists and configurable options
- Real Browser: Uses actual Chrome for accurate redirect detection
- Custom Test Domains: Specify your own domains for redirect detection
- Authentication Support: Test authenticated endpoints with cookies and custom headers
- JSON Output: Structured output format for integration with other tools
- Proxy Support: Route traffic through HTTP/HTTPS/SOCKS5 proxies
- Progress Bar: Real-time visual progress indicator during scans
- Simple: Easy to use CLI interface
Based on the original idea from @ak1t4's open-redirect-scanner.
This tool has been completely rewritten in Go with modern browser automation to replace the deprecated CasperJS/PhantomJS stack.
The tool:
- Reads target URLs from a file
- Appends payloads from a payload list to each URL
- Uses headless Chrome to navigate and detect redirects
- Identifies successful redirects to test domains (google.com, example.com)
- Logs vulnerable URLs to an output file
- Docker
- Docker Compose (optional, for easier management)
-
Clone the repository
git clone https://github.com/random-robbie/open-redirect.git cd open-redirect -
Create your URLs file
# Copy the example file cp data/urls.txt.example data/urls.txt # Edit with your target URLs nano data/urls.txt
-
Run the scanner
docker-compose up --build
-
View results
cat data/found.txt
# Build the image
docker build -t open-redirect .
# Run the scanner
docker run -v $(pwd)/data:/app/data open-redirect \
-urls /app/data/urls.txt \
-payloads /app/payloads.txt \
-output /app/data/found.txt \
-workers 10 \
-verbose- Go 1.21 or later
- Chrome or Chromium browser
# Clone the repository
git clone https://github.com/random-robbie/open-redirect.git
cd open-redirect
# Download dependencies
go mod download
# Build the binary
go build -o open-redirect main.go# Basic usage
./open-redirect -urls urls.txt -payloads payloads.txt
# With custom options
./open-redirect \
-urls urls.txt \
-payloads payloads.txt \
-output results.txt \
-workers 10 \
-timeout 30 \
-verbose| Flag | Default | Description |
|---|---|---|
-urls |
urls.txt |
File containing target URLs to test |
-payloads |
payloads.txt |
File containing redirect payloads |
-output |
found.txt |
Output file for vulnerable URLs |
-workers |
5 |
Number of concurrent workers |
-timeout |
30 |
Timeout in seconds for each request |
-verbose |
false |
Enable verbose output |
-json |
false |
Output results in JSON format |
-domains |
(default list) | Comma-separated list of custom test domains |
-cookies |
(none) | Cookies in format 'name1=value1; name2=value2' |
-headers |
(none) | Custom headers in format 'Header1: Value1; Header2: Value2' |
-proxy |
(none) | Proxy URL (e.g., 'http://proxy.example.com:8080') |
Create a file with target URLs (one per line):
https://example.com/redirect?url=
https://target.com/forward?dest=
https://site.com/goto?target=
The repository includes a comprehensive payload list. You can also create your own:
//google.com
https://google.com
//example.com
@google.com
The tool identifies successful open redirects by checking if the final URL starts with:
http://google.comorhttps://google.comhttp://example.comorhttps://example.com
You can modify the testDomains variable in main.go to add your own test domains.
The tool features a real-time progress bar that shows scan progress:
[*] ***************************************[*]
[*] Open Redirect Finder By @Random_Robbie [*]
[*] Rewritten in Go + ChromeDP [*]
[*] ***************************************[*]
[*] Test domains: [http://google.com https://google.com http://example.com https://example.com]
[*] Loaded 10 URLs and 504 payloads
[*] Using 5 concurrent workers
[*] Starting scan...
[*] Testing URLs... [=====> ] 35% (1764/5040)
[*]*****Open Redirect Found*****[*]
[*] https://vulnerable.com/redirect?url=//google.com [*]
[*] Redirects to: https://google.com [*]
[*] Timestamp: 2024-01-15T10:32:15Z [*]
[*] Testing URLs... [==================>] 100% (5040/5040)
[*] Scan complete!
[*] Found 3 vulnerable URLs
[*] Results saved to: found.txt
The progress bar displays:
- Current completion percentage
- Number of tests completed vs total
- Visual progress indicator with color coding
- Automatically clears when printing vulnerability findings
Vulnerable URLs are saved one per line:
https://vulnerable.com/redirect?url=//google.com
https://target.com/forward?dest=https://example.com
You can set environment variables in docker-compose.yml:
environment:
- WORKERS=10
- TIMEOUT=60The included payloads.txt contains 500+ bypass techniques. Add your own:
echo "//your-domain.com" >> payloads.txt# Increase workers for faster scanning
./open-redirect -urls large-list.txt -workers 20
# Increase timeout for slow targets
./open-redirect -urls urls.txt -timeout 60./open-redirect -urls urls.txt -output /path/to/results.txt# See all requests, including non-vulnerable ones
./open-redirect -urls urls.txt -verboseBy default, the tool checks for redirects to google.com and example.com. You can specify your own test domains:
# Use custom domains for detection
./open-redirect \
-urls urls.txt \
-domains "https://evil.com,http://attacker.com,https://test.com"This is useful when:
- Testing with your own controlled domains
- Verifying specific redirect targets
- Using domains you control for bug bounty testing
Generate structured JSON output for integration with other tools:
# Output results in JSON format
./open-redirect -urls urls.txt -json -output results.jsonJSON output includes:
- Scan metadata (start time, end time, total tests)
- Complete results with timestamps
- Structured data for easy parsing
Example JSON output:
{
"scan_info": {
"start_time": "2024-01-15T10:30:00Z",
"end_time": "2024-01-15T10:35:00Z",
"total_tests": 5040,
"vulnerable_count": 3
},
"results": [
{
"test_url": "https://example.com/redirect?url=//google.com",
"final_url": "https://google.com",
"vulnerable": true,
"timestamp": "2024-01-15T10:32:15Z"
}
]
}Test authenticated endpoints by providing session cookies:
# Single cookie
./open-redirect \
-urls urls.txt \
-cookies "session=abc123def456"
# Multiple cookies
./open-redirect \
-urls urls.txt \
-cookies "session=abc123; csrf_token=xyz789; user_id=12345"Add custom HTTP headers for authentication or other purposes:
# Single header
./open-redirect \
-urls urls.txt \
-headers "Authorization: Bearer token123"
# Multiple headers
./open-redirect \
-urls urls.txt \
-headers "Authorization: Bearer token123; X-API-Key: key456; X-Custom: value"Use both cookies and headers together:
./open-redirect \
-urls urls.txt \
-cookies "session=abc123; user=admin" \
-headers "Authorization: Bearer token123; X-CSRF-Token: xyz789"Route traffic through a proxy for:
- Corporate network requirements
- Additional anonymity
- Traffic inspection/debugging
# HTTP proxy
./open-redirect \
-urls urls.txt \
-proxy "http://proxy.company.com:8080"
# HTTPS proxy
./open-redirect \
-urls urls.txt \
-proxy "https://secure-proxy.com:443"
# SOCKS5 proxy
./open-redirect \
-urls urls.txt \
-proxy "socks5://127.0.0.1:1080"Using all features together:
./open-redirect \
-urls urls.txt \
-payloads custom-payloads.txt \
-output results.json \
-workers 15 \
-timeout 45 \
-json \
-verbose \
-domains "https://attacker.com,http://evil.com" \
-cookies "session=abc123; user=admin" \
-headers "Authorization: Bearer token123; X-API-Key: key456" \
-proxy "http://proxy.company.com:8080"- β Only test applications you own or have explicit written permission to test
- β Use for bug bounty programs with proper authorization
- β Use for penetration testing engagements
- β Unauthorized testing may be illegal in your jurisdiction
- β The authors are not responsible for misuse of this tool
Always ensure you have proper authorization before testing any application.
If running locally and Chrome is not in the system PATH:
# Linux
export CHROME_BIN=/usr/bin/chromium
# macOS
export CHROME_BIN="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"# Fix permissions on data directory
chmod -R 777 data/Increase the timeout value:
./open-redirect -urls urls.txt -timeout 60If you're upgrading from the old Python/CasperJS version:
- Your existing
payloads.txtfile will work as-is - Create a new
urls.txtwith your target URLs - Use Docker for the easiest setup (no need to install dependencies)
- The output format remains compatible
- Python + CasperJS: ~5-10 URLs/minute (single-threaded)
- Go + ChromeDP: ~50-100+ URLs/minute (with 10 workers)
Actual performance depends on network conditions and target response times.
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
# Clone the repo
git clone https://github.com/random-robbie/open-redirect.git
cd open-redirect
# Install dependencies
go mod download
# Run tests (if available)
go test ./...
# Build
go build -o open-redirect main.go- Add support for custom test domains via CLI flag β
- Implement authentication support (cookies, headers) β
- Add JSON output format β
- Support for proxy configuration β
- Add progress bar for long scans β
- Create comprehensive test suite
- Add rate limiting options
- Add CI/CD pipeline
- Performance benchmarking
- Support for loading cookies/headers from file
- Implement retry logic for failed requests
- Add option to disable progress bar for CI/CD
See LICENSE file for details.
- Original Concept: @ak1t4
- Original Python Version: @Random_Robbie
- Go Rewrite: @Random_Robbie
- Browser Automation: ChromeDP
Star β this repository if you find it useful!
