I found a couple of fun tricks you can do with this (for some definition of "fun... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

rlk 10 months ago | parent | context | favorite | on: 301party.com: Intentionally open redirect

I found a couple of fun tricks you can do with this (for some definition of "fun" anyway).

Go's http.Redirect function allows non-3xx statuses, and also renders a trivial page with a status message and link:

https://301party.com/451?url=javascript:alert(%27hello%27)

Alas not infinitely recursive but enough to make your browser give up:

https://301party.com/301?url=/301?url=/301?url=/301?url=/301...

[edit to add:] https://301party.com/0 causes a panic

Pyrodogg 10 months ago [–]

I'm so used to getting 451's that the example flew right over my head. First reaction was, "ugh this again [reaches for vpn]".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact