bp 开放重定向

检查：https://www.bugbountyhunter.com/vulnerability/?type=open_redirect
检查：https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection
检查：https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection

Lab: DOM-based open redirection
https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection

找到审查元素（注意DOM型不是找源代码）中的DOM接收器

控制台：debug

var returnUrl = /url=(https?:\/\/.+)/.exec(location);  
console.log("URL Match:", returnUrl);  // 查看匹配结果  
var returnUrl = urlMatch ? urlMatch[1] : "/";  
console.log("Return URL:", returnUrl);  // 查看最终重定向的 URL  
location.href = returnUrl;   //所以就开放重定向了

主要接收器：

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()