Try IDN homograph attack. (
https://hackerone.com/reports/861940
)
Url encode
Look at the references for more payloads
Bypasses:
//www.evil.com
(You can add this as a paramter or append this on the end of the url)
https://legit.com/%2F%2F%[2fbing.com](http://2fbing.com/)%2F%[3fwww.omise.co](http://3fwww.omise.co/)
(url)
[email protected]
(Parameter)
http://evil.com
\legit
.com/../../../
(Parameter)
https://legit.com/http://evil.com
(URL)
/\
google.com
(Parameter)
http://www.legit.com///;@evil.com
(URL)
https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/http://www.bywalks.com/
(URL)(IDK how this works)
/\/\
malicious-site.com
(Parameter)