CRX id
nhidgdjfenjgfkebimhdanbfipgfacpl
nhidgdjfenjgfkebimhdanbfipgfacpl
Description from extension meta
Automated, safe scanner for Open Redirect vulnerabilities. Does not follow redirects; records Location/meta/JS evidence.
Image from store
Description from store
Orion Open Redirect Hunter automates manual tests for Open Redirect (Unvalidated Redirects/Forwards) in web apps.
It injects benign, controlled payloads pointing to example.com and never follows redirects. Instead, it observes:
HTTP 3xx Location headers
HTML meta refresh tags
JavaScript redirects (location.href, location.assign, location.replace)
If a redirect to the canary destination is detected, the tool flags the URL as vulnerable and records clear evidence.
Why it’s safe
No redirect following: requests are issued with redirect handling disabled
Benign payloads only (https://example.com, //example.com, and encoded variants)
Timeouts & optional rate limiting to avoid stressing targets
No third-party services: everything runs locally in your browser
Key features
Test one or many URLs (paste multiple; one per line)
Auto-detect common redirect parameters (next, redirect_uri, returnTo, etc.) or specify your own
Choose GET or HEAD, set timeout and delay between requests
View results inline and Export JSON with full evidence (status, header, mechanism)
Clear legal/ethical banner; intended for authorized testing only
Typical use cases
Security reviews of login flows, OAuth/OIDC callbacks, and post-login redirect chains
AppSec CI/spot checks during release hardening
Bug bounty triage and validation
How it works (high level)
You paste URLs to scan
The tool sets candidate redirect parameters to benign URLs (and encoded variants)
It sends requests with redirect=manual and inspects response headers and HTML
Findings are displayed and can be exported as JSON
Notes
Only test systems you own or have permission to assess
You may need to whitelist targets in your testing scope and follow responsible disclosure practices
open redirect, unvalidated redirect, redirect_uri, OAuth, OIDC, AppSec, bug bounty, security testing, Location header, meta refresh, JavaScript redirect, penetration testing (authorized)