Bypass Open Redirection Protection Via Google Sites [BugBounty writeup]

Hi Everyone!

السلام عليكم ورحمة الله وبركاته

i’m Ahmed Salah Abdalhfaz (Elsfa7–110)

Today i will talk about a vulnerability that I discovered on January 6th, 2021

Let us consider the site as
Lets Dive in!

What is an Open-redirection Vulnerability?

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.example of a vulnerable website link could look something like this:

attacker could manipulate that parameter url= to send a victim to a fake page crafted by attacker:

Let’s go to the bug

For this vulnerability I used a simple bypass and a Logic solution

The vulnerable URL was

After several attempts by (open Redirect Payload List)
no any payload could bypass the protection

After some examination, it became clear that the site accepts redirection to some sites only
Including, which means that it works via Whitelist to protect against open redirect attacks


now we need to hack so we can exploit it
Oh, there is an easier and simpler solution
After a while of thinking,
Google provides a Google Sites service

Through which we can redirect the victim to any other site or inject pages and carry out some attacks

Let’s try
1-will create a simple website on
2-make iframe to any harmful site (i used, and thus the attack succeeded in transferring the visitor to a dangerous site or can attacker make fake signin form or any dangerous thing (google sites allowed to include pages from external links) attacker can host any site on google sites

In this way, we can use google subdomain (

for ex.

Now simply changing the “r” value to

Successful bypass the Open redirection protection

Thanks for reading!

Happy Hacking ;)

Please don’t forget to follow me on the Twitter to watch new blogs from me on and if you have any comment also send to me thanks. Feel free to connect with me if you have anything.