2024-03-16 18:44:49 +00:00
|
|
|
id: open-redirect
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Open Redirect Detection
|
|
|
|
author: princechaddha
|
|
|
|
severity: medium
|
2024-03-23 09:32:51 +00:00
|
|
|
tags: redirect,dast
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
http:
|
2024-03-31 19:55:42 +00:00
|
|
|
- pre-condition:
|
2024-03-26 07:21:56 +00:00
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- 'method == "GET"'
|
2024-03-16 18:44:49 +00:00
|
|
|
|
|
|
|
payloads:
|
|
|
|
redirect:
|
|
|
|
- "evil.com"
|
|
|
|
|
|
|
|
fuzzing:
|
|
|
|
- part: query
|
|
|
|
mode: single
|
|
|
|
keys:
|
|
|
|
- AuthState
|
|
|
|
- URL
|
|
|
|
- _url
|
|
|
|
- callback
|
|
|
|
- checkout
|
|
|
|
- checkout_url
|
|
|
|
- content
|
|
|
|
- continue
|
|
|
|
- continueTo
|
|
|
|
- counturl
|
|
|
|
- data
|
|
|
|
- dest
|
|
|
|
- dest_url
|
|
|
|
- destination
|
|
|
|
- dir
|
|
|
|
- document
|
|
|
|
- domain
|
|
|
|
- done
|
|
|
|
- download
|
|
|
|
- feed
|
|
|
|
- file
|
|
|
|
- file_name
|
|
|
|
- file_url
|
|
|
|
- folder
|
|
|
|
- folder_url
|
|
|
|
- forward
|
|
|
|
- from_url
|
|
|
|
- go
|
|
|
|
- goto
|
|
|
|
- host
|
|
|
|
- html
|
|
|
|
- http
|
|
|
|
- https
|
|
|
|
- image
|
|
|
|
- image_src
|
|
|
|
- image_url
|
|
|
|
- imageurl
|
|
|
|
- img
|
|
|
|
- img_url
|
|
|
|
- include
|
|
|
|
- langTo
|
|
|
|
- load_file
|
|
|
|
- load_url
|
|
|
|
- login_to
|
|
|
|
- login_url
|
|
|
|
- logout
|
|
|
|
- media
|
|
|
|
- navigation
|
|
|
|
- next
|
|
|
|
- next_page
|
|
|
|
- open
|
|
|
|
- out
|
|
|
|
- page
|
|
|
|
- page_url
|
|
|
|
- pageurl
|
|
|
|
- path
|
|
|
|
- picture
|
|
|
|
- port
|
|
|
|
- proxy
|
|
|
|
- r
|
|
|
|
- r2
|
|
|
|
- redir
|
|
|
|
- redirect
|
|
|
|
- redirectUri
|
|
|
|
- redirectUrl
|
|
|
|
- redirect_to
|
|
|
|
- redirect_uri
|
|
|
|
- redirect_url
|
|
|
|
- reference
|
|
|
|
- referrer
|
|
|
|
- req
|
|
|
|
- request
|
|
|
|
- ret
|
|
|
|
- retUrl
|
|
|
|
- return
|
|
|
|
- returnTo
|
|
|
|
- return_path
|
|
|
|
- return_to
|
|
|
|
- return_url
|
|
|
|
- rt
|
|
|
|
- rurl
|
|
|
|
- show
|
|
|
|
- site
|
|
|
|
- source
|
|
|
|
- src
|
|
|
|
- target
|
|
|
|
- to
|
|
|
|
- u
|
|
|
|
- uri
|
|
|
|
- url
|
|
|
|
- val
|
|
|
|
- validate
|
|
|
|
- view
|
|
|
|
- window
|
|
|
|
- back
|
|
|
|
- cgi
|
|
|
|
- follow
|
|
|
|
- home
|
|
|
|
- jump
|
|
|
|
- link
|
|
|
|
- location
|
|
|
|
- menu
|
|
|
|
- move
|
|
|
|
- nav
|
|
|
|
- orig_url
|
|
|
|
- out_url
|
|
|
|
- query
|
|
|
|
- auth
|
|
|
|
- callback_url
|
|
|
|
- confirm_url
|
|
|
|
- destination_url
|
|
|
|
- domain_url
|
|
|
|
- entry
|
|
|
|
- exit
|
|
|
|
- forward_url
|
|
|
|
- go_to
|
|
|
|
- goto_url
|
|
|
|
- home_url
|
|
|
|
- image_link
|
|
|
|
- load
|
|
|
|
- logout_url
|
|
|
|
- nav_to
|
|
|
|
- origin
|
|
|
|
- page_link
|
|
|
|
- redirect_link
|
|
|
|
- ref
|
|
|
|
- referrer_url
|
|
|
|
- return_link
|
|
|
|
- return_to_url
|
|
|
|
- source_url
|
|
|
|
- target_url
|
|
|
|
- to_url
|
|
|
|
- validate_url
|
|
|
|
- DirectTo
|
|
|
|
- relay
|
2024-03-16 19:08:33 +00:00
|
|
|
|
2024-03-16 18:44:49 +00:00
|
|
|
fuzz:
|
|
|
|
- "https://{{redirect}}"
|
|
|
|
|
|
|
|
- part: query
|
|
|
|
mode: single
|
|
|
|
values:
|
|
|
|
- "https?://" # Replace HTTP URLs with alternatives
|
|
|
|
fuzz:
|
|
|
|
- "https://{{redirect}}"
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
part: header
|
|
|
|
regex:
|
|
|
|
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
|
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 301
|
|
|
|
- 302
|
|
|
|
- 307
|
2024-04-08 07:07:11 +00:00
|
|
|
# digest: 4a0a004730450221009817b3fc85a64de37095f99e9bc9606b18a5a9ee3273af0405634e1b2760458c02201a1430837a69b1a03bece85a3966c0042aaddc52f45baedb9191e95936860b0c:922c64590222798bb761d5b6d8e72950
|