nuclei-templates/dast/vulnerabilities/redirect/open-redirect.yaml

182 lines
3.7 KiB
YAML
Raw Normal View History

2024-03-16 18:44:49 +00:00
id: open-redirect
info:
name: Open Redirect Detection
author: princechaddha
severity: medium
2024-03-23 09:32:51 +00:00
tags: redirect,dast
2024-03-16 18:44:49 +00:00
http:
2024-03-31 19:55:42 +00:00
- pre-condition:
2024-03-26 07:21:56 +00:00
- type: dsl
dsl:
- 'method == "GET"'
2024-03-16 18:44:49 +00:00
payloads:
redirect:
- "evil.com"
fuzzing:
- part: query
mode: single
keys:
- AuthState
- URL
- _url
- callback
- checkout
- checkout_url
- content
- continue
- continueTo
- counturl
- data
- dest
- dest_url
- destination
- dir
- document
- domain
- done
- download
- feed
- file
- file_name
- file_url
- folder
- folder_url
- forward
- from_url
- go
- goto
- host
- html
- http
- https
- image
- image_src
- image_url
- imageurl
- img
- img_url
- include
- langTo
- load_file
- load_url
- login_to
- login_url
- logout
- media
- navigation
- next
- next_page
- open
- out
- page
- page_url
- pageurl
- path
- picture
- port
- proxy
- r
- r2
- redir
- redirect
- redirectUri
- redirectUrl
- redirect_to
- redirect_uri
- redirect_url
- reference
- referrer
- req
- request
- ret
- retUrl
- return
- returnTo
- return_path
- return_to
- return_url
- rt
- rurl
- show
- site
- source
- src
- target
- to
- u
- uri
- url
- val
- validate
- view
- window
- back
- cgi
- follow
- home
- jump
- link
- location
- menu
- move
- nav
- orig_url
- out_url
- query
- auth
- callback_url
- confirm_url
- destination_url
- domain_url
- entry
- exit
- forward_url
- go_to
- goto_url
- home_url
- image_link
- load
- logout_url
- nav_to
- origin
- page_link
- redirect_link
- ref
- referrer_url
- return_link
- return_to_url
- source_url
- target_url
- to_url
- validate_url
- DirectTo
- relay
2024-03-16 19:08:33 +00:00
2024-03-16 18:44:49 +00:00
fuzz:
- "https://{{redirect}}"
- part: query
mode: single
values:
- "https?://" # Replace HTTP URLs with alternatives
fuzz:
- "https://{{redirect}}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:
- 301
- 302
- 307
# digest: 4a0a004730450221009817b3fc85a64de37095f99e9bc9606b18a5a9ee3273af0405634e1b2760458c02201a1430837a69b1a03bece85a3966c0042aaddc52f45baedb9191e95936860b0c:922c64590222798bb761d5b6d8e72950