Redirect Endpoint
How to use the redirect endpoint
goshs can serve HTTP 3xx redirects via a special URL query parameter. This is useful in penetration testing and CTF scenarios where you want to redirect a victim’s browser or server-side request to an arbitrary target — for example when testing open-redirect vulnerabilities or chaining SSRF attacks.
Triggering a redirect
Append ?redirect to any goshs URL and provide the target via ?url=:
http://<your-ip>:8000/?redirect&url=https://example.comgoshs will respond with an HTTP 302 redirect to https://example.com.
Choosing the status code
Use ?status= to select any 3xx response code (301, 302, 303, 307, 308, etc.). Defaults to 302 if omitted.
http://<your-ip>:8000/?redirect&url=https://example.com&status=301Adding custom response headers
Zero or more ?header= values can be appended. Each value must be in Name: Value format:
http://<your-ip>:8000/?redirect&url=https://example.com&header=X-Custom: foo&header=Cache-Control: no-storeFull example
$ curl -v 'http://dns.hesec.de:8000/?redirect&url=https://example.com&status=301&header=X-Custom:%20foo'
* Host dns.hesec.de:8000 was resolved.
* IPv6: (none)
* IPv4: <redacted>
* Trying <redacted>:8000...
* Connected to dns.hesec.de (redacted) port 8000
* using HTTP/1.x
> GET /?redirect&url=https://example.com&status=301&header=X-Custom:%20foo HTTP/1.1
> Host: dns.hesec.de:8000
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=utf-8
< Location: https://example.com
< Server: goshs/v2.0.0 (linux; go1.24.1)
< X-Custom: foo
< Date: Mon, 13 Apr 2026 12:17:01 GMT
< Content-Length: 54
<
<a href="https://example.com">Moved Permanently</a>.
* Connection #0 to host dns.hesec.de left intactError handling
| Condition | HTTP status |
|---|---|
?url= parameter missing |
400 Bad Request |
?status= is not a 3xx code |
400 Bad Request |
Malformed ?header= value (missing : ) |
400 Bad Request |
Notes
- The redirect endpoint is available on the standard HTTP/HTTPS port — no additional flag is needed to enable it.
- Redirect events are logged and emitted as collaboration events (visible in verbose output).
- Authentication and TLS settings apply to the redirect endpoint just as they do to all other goshs routes.