nuclei-templates/vulnerabilities/generic/open-redirect.yaml

id: open-redirect

info:
  name: Open Redirect - Detection
  author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
  severity: medium
  description: An open redirect vulnerability was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
  tags: redirect,generic

requests:
  - method: GET
    path:
      - "{{RootURL}}/{{redirect}}"

    payloads:
      redirect:
        - '%0a/evil.com/'
        - '%0d/evil.com/'
        - '%00/evil.com/'
        - '%09/evil.com/'
        - '%5C%5Cevil.com/%252e%252e%252f'
        - '%5Cevil.com'
        - '%5cevil.com/%2f%2e%2e'
        - '%5c{{RootURL}}evil.com/%2f%2e%2e'
        - '../evil.com'
        - '.evil.com'
        - '/%5cevil.com'
        - '////\;@evil.com'
        - '////evil.com'
        - '///evil.com'
        - '///evil.com/%2f%2e%2e'
        - '///evil.com@//'
        - '///{{RootURL}}evil.com/%2f%2e%2e'
        - '//;@evil.com'
        - '//\/evil.com/'
        - '//\@evil.com'
        - '//\evil.com'
        - '//\tevil.com/'
        - '//evil.com/%2F..'
        - '//evil.com//'
        - '//%69%6e%74%65%72%61%63%74%2e%73%68'
        - '//evil.com@//'
        - '//evil.com\tevil.com/'
        - '//https://evil.com@//'
        - '/<>//evil.com'
        - '/\/\/evil.com/'
        - '/\/evil.com'
        - '/\evil.com'
        - '/evil.com'
        - '/evil.com/%2F..'
        - '/evil.com/'
        - '/evil.com/..;/css'
        - '/https:evil.com'
        - '/{{RootURL}}evil.com/'
        - '/〱evil.com'
        - '/〵evil.com'
        - '/ゝevil.com'
        - '/ーevil.com'
        - '/ｰevil.com'
        - '<>//evil.com'
        - '@evil.com'
        - '@https://evil.com'
        - '\/\/evil.com/'
        - 'evil%E3%80%82com'
        - 'evil.com'
        - 'evil.com/'
        - 'evil.com//'
        - 'evil.com;@'
        - 'https%3a%2f%2fevil.com%2f'
        - 'https:%0a%0devil.com'
        - 'https://%0a%0devil.com'
        - 'https://%09/evil.com'
        - 'https://%2f%2f.evil.com/'
        - 'https://%3F.evil.com/'
        - 'https://%5c%5c.evil.com/'
        - 'https://%5cevil.com@'
        - 'https://%23.evil.com/'
        - 'https://.evil.com'
        - 'https://////evil.com'
        - 'https:///evil.com'
        - 'https:///evil.com/%2e%2e'
        - 'https:///evil.com/%2f%2e%2e'
        - 'https:///evil.com@evil.com/%2e%2e'
        - 'https:///evil.com@evil.com/%2f%2e%2e'
        - 'https://:80#@evil.com/'
        - 'https://:80?@evil.com/'
        - 'https://:@\@evil.com'
        - 'https://:@evil.com\@evil.com'
        - 'https://;@evil.com'
        - 'https://\tevil.com/'
        - 'https://evil.com/evil.com'
        - 'https://evil.com/https://evil.com/'
        - 'https://www.\.evil.com'
        - 'https:/\/\evil.com'
        - 'https:/\evil.com'
        - 'https:/evil.com'
        - 'https:evil.com'
        - '{{RootURL}}evil.com'
        - '〱evil.com'
        - '〵evil.com'
        - 'ゝevil.com'
        - 'ーevil.com'
        - 'ｰevil.com'
        - 'redirect/evil.com'
        - 'cgi-bin/redirect.cgi?evil.com'
        - 'out?evil.com'
        - 'login?to=http://evil.com'
        - '1/_https@evil.com'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

      - type: status
        status:
          - 301
          - 302
          - 307
          - 308
        condition: or

# Enhanced by mp on 2022/10/14
payload updates 2021-02-14 11:41:51 +00:00			`id: open-redirect`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: Open Redirect - Detection`
Updated author names 2021-06-09 12:20:56 +00:00			`author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik`
Dashboard Content Enhancements (#6598) Dashboard Content Enhancements 2023-01-23 22:14:23 +00:00			`severity: medium`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`description: An open redirect vulnerability was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cwe-id: CWE-601`
Update open-redirect.yaml 2021-08-11 07:38:24 +00:00			`tags: redirect,generic`
payload updates 2021-02-14 11:41:51 +00:00
			`requests:`
fix: redirect template update (#6329) 2022-12-10 14:42:59 +00:00			`- method: GET`
			`path:`
			`- "{{RootURL}}/{{redirect}}"`
payload updates 2021-02-14 11:41:51 +00:00
Update open-redirect.yaml (#3404) * Update open-redirect.yaml add new payloads * minor update Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-26 15:23:11 +00:00			`payloads:`
			`redirect:`
fix: redirect template update (#6329) 2022-12-10 14:42:59 +00:00			`- '%0a/evil.com/'`
			`- '%0d/evil.com/'`
			`- '%00/evil.com/'`
			`- '%09/evil.com/'`
			`- '%5C%5Cevil.com/%252e%252e%252f'`
			`- '%5Cevil.com'`
			`- '%5cevil.com/%2f%2e%2e'`
			`- '%5c{{RootURL}}evil.com/%2f%2e%2e'`
			`- '../evil.com'`
			`- '.evil.com'`
			`- '/%5cevil.com'`
			`- '////\;@evil.com'`
			`- '////evil.com'`
			`- '///evil.com'`
			`- '///evil.com/%2f%2e%2e'`
			`- '///evil.com@//'`
			`- '///{{RootURL}}evil.com/%2f%2e%2e'`
			`- '//;@evil.com'`
			`- '//\/evil.com/'`
			`- '//\@evil.com'`
			`- '//\evil.com'`
			`- '//\tevil.com/'`
			`- '//evil.com/%2F..'`
			`- '//evil.com//'`
Added URL encoded payload (#4664) 2022-06-25 07:08:56 +00:00			`- '//%69%6e%74%65%72%61%63%74%2e%73%68'`
fix: redirect template update (#6329) 2022-12-10 14:42:59 +00:00			`- '//evil.com@//'`
			`- '//evil.com\tevil.com/'`
			`- '//https://evil.com@//'`
			`- '/<>//evil.com'`
			`- '/\/\/evil.com/'`
			`- '/\/evil.com'`
			`- '/\evil.com'`
			`- '/evil.com'`
			`- '/evil.com/%2F..'`
			`- '/evil.com/'`
			`- '/evil.com/..;/css'`
			`- '/https:evil.com'`
			`- '/{{RootURL}}evil.com/'`
			`- '/〱evil.com'`
			`- '/〵evil.com'`
			`- '/ゝevil.com'`
			`- '/ーevil.com'`
			`- '/ｰevil.com'`
			`- '<>//evil.com'`
			`- '@evil.com'`
			`- '@https://evil.com'`
			`- '\/\/evil.com/'`
			`- 'evil%E3%80%82com'`
			`- 'evil.com'`
			`- 'evil.com/'`
			`- 'evil.com//'`
			`- 'evil.com;@'`
			`- 'https%3a%2f%2fevil.com%2f'`
			`- 'https:%0a%0devil.com'`
			`- 'https://%0a%0devil.com'`
			`- 'https://%09/evil.com'`
			`- 'https://%2f%2f.evil.com/'`
			`- 'https://%3F.evil.com/'`
			`- 'https://%5c%5c.evil.com/'`
			`- 'https://%5cevil.com@'`
			`- 'https://%23.evil.com/'`
			`- 'https://.evil.com'`
			`- 'https://////evil.com'`
			`- 'https:///evil.com'`
			`- 'https:///evil.com/%2e%2e'`
			`- 'https:///evil.com/%2f%2e%2e'`
			`- 'https:///evil.com@evil.com/%2e%2e'`
			`- 'https:///evil.com@evil.com/%2f%2e%2e'`
			`- 'https://:80#@evil.com/'`
			`- 'https://:80?@evil.com/'`
			`- 'https://:@\@evil.com'`
			`- 'https://:@evil.com\@evil.com'`
			`- 'https://;@evil.com'`
			`- 'https://\tevil.com/'`
			`- 'https://evil.com/evil.com'`
			`- 'https://evil.com/https://evil.com/'`
			`- 'https://www.\.evil.com'`
			`- 'https:/\/\evil.com'`
			`- 'https:/\evil.com'`
			`- 'https:/evil.com'`
			`- 'https:evil.com'`
			`- '{{RootURL}}evil.com'`
			`- '〱evil.com'`
			`- '〵evil.com'`
			`- 'ゝevil.com'`
			`- 'ーevil.com'`
			`- 'ｰevil.com'`
			`- 'redirect/evil.com'`
			`- 'cgi-bin/redirect.cgi?evil.com'`
			`- 'out?evil.com'`
			`- 'login?to=http://evil.com'`
change from google.com -> evil.com 2023-02-07 04:49:11 +00:00			`- '1/_https@evil.com'`
Additional check add 2021-06-29 11:56:42 +00:00
Added stop-at-first-match in applicable templates 2021-09-02 11:59:10 +00:00			`stop-at-first-match: true`
Additional check add 2021-06-29 11:56:42 +00:00			`matchers-condition: and`
payload updates 2021-02-14 11:41:51 +00:00			`matchers:`
			`- type: regex`
Wrong part name (#6482) Part name should be "header" instead "location" 2023-01-07 19:00:41 +00:00			`part: header`
Add Another Redirect Payload and Extend the Regex to Recognize it (#3299) * Fix Open Redirect Header Regex The regex was missing the correct escaping for special char `/` * Add New General Open Redirect There's another option for open redirects. I tested it in FF and Chrome. * Update Location Redirect Regex * update: mix changes Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-13 15:08:21 +00:00			`regex:`
Reduce false-positives in open-redirect regexes 2023-03-01 08:39:14 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@])evil\.com\/?(\/\|[^.].)?$' # https://regex101.com/r/ZDYhFh/1`
Additional check add 2021-06-29 11:56:42 +00:00
			`- type: status`
			`status:`
			`- 301`
Add Another Redirect Payload and Extend the Regex to Recognize it (#3299) * Fix Open Redirect Header Regex The regex was missing the correct escaping for special char `/` * Add New General Open Redirect There's another option for open redirects. I tested it in FF and Chrome. * Update Location Redirect Regex * update: mix changes Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-13 15:08:21 +00:00			`- 302`
			`- 307`
Update open-redirect.yaml (#3404) * Update open-redirect.yaml add new payloads * minor update Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2021-12-26 15:23:11 +00:00			`- 308`
Added URL encoded payload (#4664) 2022-06-25 07:08:56 +00:00			`condition: or`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00
			`# Enhanced by mp on 2022/10/14`