Fortunately, redirection to a file: URL will result in a browser error. Unfortunately, the browser does not explain what is wrong (although the redirect can be viewed in the developer tools, you might not know to look there, and it still doesn't have an error message to explain the problem).
While that is true for modern browsers, some backend http client libraries will follow the redirects. So; if you have a system that given an URL that fetches + displays the content, and you use a service that issues redirects to things like the AWS metadata service, or file:///etc/passwd --- well, the backend library is gonna redirect to the bad place, if it only checks the initially submitted url.
I found a couple of fun tricks you can do with this (for some definition of "fun" anyway).
Go's http.Redirect function allows non-3xx statuses, and also renders a trivial page with a status message and link:
https://301party.com/451?url=javascript:alert(%27hello%27)
Alas not infinitely recursive but enough to make your browser give up:
https://301party.com/301?url=/301?url=/301?url=/301?url=/301...
[edit to add:] https://301party.com/0 causes a panic
I'm so used to getting 451's that the example flew right over my head. First reaction was, "ugh this again [reaches for vpn]".
Is there a bug bounty? I found an open redirect.
I think you can report them here: http://localhost.301party.com
It can be nice to have an address that is guaranteed to be one or the other.
Created by wtfismyip.com - had a good laugh
Also of interest: https://redirect.pizza/
Can someone explain what this is?
A simple utility to test 301 redirects in your project.
Fortunately, redirection to a file: URL will result in a browser error. Unfortunately, the browser does not explain what is wrong (although the redirect can be viewed in the developer tools, you might not know to look there, and it still doesn't have an error message to explain the problem).
While that is true for modern browsers, some backend http client libraries will follow the redirects. So; if you have a system that given an URL that fetches + displays the content, and you use a service that issues redirects to things like the AWS metadata service, or file:///etc/passwd --- well, the backend library is gonna redirect to the bad place, if it only checks the initially submitted url.
Couple of s/redirct/redirect typos
"You cannot add 127.0.0.1 or localhost as a callback URL"
...watch me.
I was wondering about use cases for this, this makes so much sense now.