Adding a lot open redirect tips
MD15
parent
5428e25125
commit
db67aa4646
|
|
@ -1,66 +1,90 @@
|
|||
## Filter Bypass
|
||||
## Open Redirect
|
||||
|
||||
1. Using a whitelisted domain or keyword
|
||||
1. Try change the domain
|
||||
```
|
||||
target.com.evil.com
|
||||
/?redir=evil.com
|
||||
```
|
||||
|
||||
2. Using "//" to bypass "http" blacklisted keyword
|
||||
2. Using a whitelisted domain or keyword
|
||||
```
|
||||
//evil.com
|
||||
/?redir=target.com.evil.com
|
||||
```
|
||||
|
||||
3. Using "https:" to bypass "//" blacklisted keyword
|
||||
3. Using `//` to bypass `http` blacklisted keyword
|
||||
```
|
||||
https:evil.com
|
||||
/?redir=//evil.com
|
||||
```
|
||||
|
||||
4. Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
|
||||
4. Using `https:` to bypass `//` blacklisted keyword
|
||||
```
|
||||
\/\/evil.com/
|
||||
/\/evil.com/
|
||||
/?redir=https:evil.com
|
||||
```
|
||||
|
||||
5. Using "%E3%80%82" to bypass "." blacklisted character
|
||||
5. Using `\\` to bypass `//` blacklisted keyword
|
||||
```
|
||||
/?redir=\\evil.com
|
||||
```
|
||||
|
||||
6. Using `\/\/` to bypass `//` blacklisted keyword
|
||||
```
|
||||
/?redir=\/\/evil.com/
|
||||
/?redir=/\/evil.com/
|
||||
```
|
||||
|
||||
7. Using `%E3%80%82` to bypass `.` blacklisted character
|
||||
```
|
||||
/?redir=evil。com
|
||||
/?redir=evil%E3%80%82com
|
||||
```
|
||||
|
||||
6. Using null byte "%00" to bypass blacklist filter
|
||||
8. Using null byte `%00` to bypass blacklist filter
|
||||
```
|
||||
//evil%00.com
|
||||
/?redir=//evil%00.com
|
||||
```
|
||||
|
||||
7. Using parameter pollution
|
||||
9. Using parameter pollution
|
||||
```
|
||||
?next=target.com&next=evil.com
|
||||
/?next=target.com&next=evil.com
|
||||
```
|
||||
|
||||
8. Using "@" character, browser will redirect to anything after the "@"
|
||||
10. Using `@` or `%40` character, browser will redirect to anything after the `@`
|
||||
```
|
||||
target.com@evil.com
|
||||
target.com%40evil.com
|
||||
/?redir=target.com@evil.com
|
||||
/?redir=target.com%40evil.com
|
||||
```
|
||||
|
||||
9. Creating folder as their domain
|
||||
11. Creating folder as their domain
|
||||
```
|
||||
http://www.yoursite.com/http://www.theirsite.com/
|
||||
http://www.yoursite.com/folder/www.folder.com
|
||||
```
|
||||
|
||||
10. Using "?" characted, browser will translate it to "/?"
|
||||
12. Using `?` characted, browser will translate it to `/?`
|
||||
```
|
||||
http://www.yoursite.com?http://www.theirsite.com/
|
||||
http://www.yoursite.com?folder/www.folder.com
|
||||
/?redir=target.com?evil.com
|
||||
```
|
||||
|
||||
11. Host/Split Unicode Normalization
|
||||
13. Bypass the filter if it only checks for domain name using `%23`
|
||||
```
|
||||
/?redir=target.com%23evil.com
|
||||
```
|
||||
|
||||
14. Host/Split Unicode Normalization
|
||||
```
|
||||
https://evil.c℀.example.com
|
||||
```
|
||||
|
||||
12. Using parsing
|
||||
15. Using parsing
|
||||
```
|
||||
http://ⓔⓥⓘⓛ.ⓒⓞⓜ
|
||||
```
|
||||
|
||||
16. Using `°` symbol to bypass
|
||||
```
|
||||
/?redir=target.com/°evil.com
|
||||
```
|
||||
|
||||
17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
|
||||
```
|
||||
/?redir=/%0d/evil.com
|
||||
```
|
||||
Loading…
Reference in New Issue