Open redirectors usually use GET requests rather than unsafe methods.
Adam
On Feb 7, 2012 9:39 AM, "Chris Weber" <chris@lookout.net> wrote:
> On 2/7/2012 9:21 AM, Julian Reschke wrote:
> > Clarifying: "Open" means that the target of the redirect actually
> > depends on something the request contains, such as a query parameter,
> > right?
>
> True, that's the most common case. An example would be -
> http://www.example.com/redir?target=http://foo.bar - where the query
> parameter named 'target' has a user-controlled value which gets used
> (most commonly) in an HTTP 302 redirect's 'Location' header.
>
> ---- REQUEST ----
>
> GET /redir?target=http://foo.bar HTTP/1.1
> Host: www.example.com
>
> ---- RESPONSE ----
>
> HTTP/1.1 302 Found
> Location: http://foo.bar/
>
>
>
> -CW
>
>