nuclei-templates/vulnerabilities/generic/open-redirect.yaml

id: open-redirect

info:
  name: Open URL redirect detection
  author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik
  severity: low
  description: A user-controlled input redirects users to an external website.
  tags: redirect,generic

requests:
  - method: GET

    path:
      - '{{BaseURL}}/example.com/'
      - '{{BaseURL}}/example.com//'
      - '{{BaseURL}}///;@example.com'
      - '{{BaseURL}}///example.com/%2F..'
      - '{{BaseURL}}/////example.com'
      - '{{BaseURL}}//example.com/%2F..'
      - '{{BaseURL}}//example.com/..;/css'
      - '{{BaseURL}}/example%E3%80%82com'
      - '{{BaseURL}}/%5Cexample.com'
      - '{{BaseURL}}/example.com'
      - '{{BaseURL}}//example.com/'
      - '{{BaseURL}}/%00/example.com/'
      - '{{BaseURL}}/%09/example.com/'
      - '{{BaseURL}}/%0a/example.com/'
      - '{{BaseURL}}/%0d/example.com/'
      - '{{BaseURL}}////example.com/%2f%2e%2e'
      - '{{BaseURL}}/%5cexample.com/%2f%2e%2e'
      - '{{BaseURL}}/{{BaseURL}}example.com'
      - '{{BaseURL}}//{{BaseURL}}example.com/'
      - '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e'
      - '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e'
      - '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
      - '{{BaseURL}}/1/_https@example.com'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
        part: header

      - type: status
        status:
          - 302
          - 301
payload updates 2021-02-14 11:41:51 +00:00			`id: open-redirect`

			`info:`
			`name: Open URL redirect detection`
Updated author names 2021-06-09 12:20:56 +00:00			`author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik`
payload updates 2021-02-14 11:41:51 +00:00			`severity: low`
Updates across many templates for clarity, spelling, and grammar. 2021-09-05 21:13:45 +00:00			`description: A user-controlled input redirects users to an external website.`
Update open-redirect.yaml 2021-08-11 07:38:24 +00:00			`tags: redirect,generic`
payload updates 2021-02-14 11:41:51 +00:00
			`requests:`
			`- method: GET`

			`path:`
Update open-redirect.yaml Seems a bit rude to add a production website like test.com to a template like this will generate a ton of unexpected traffic for a company who might not be expecting it or appreciating it. 2021-02-15 17:42:57 +00:00			`- '{{BaseURL}}/example.com/'`
			`- '{{BaseURL}}/example.com//'`
			`- '{{BaseURL}}///;@example.com'`
			`- '{{BaseURL}}///example.com/%2F..'`
			`- '{{BaseURL}}/////example.com'`
			`- '{{BaseURL}}//example.com/%2F..'`
			`- '{{BaseURL}}//example.com/..;/css'`
			`- '{{BaseURL}}/example%E3%80%82com'`
			`- '{{BaseURL}}/%5Cexample.com'`
			`- '{{BaseURL}}/example.com'`
			`- '{{BaseURL}}//example.com/'`
			`- '{{BaseURL}}/%00/example.com/'`
			`- '{{BaseURL}}/%09/example.com/'`
			`- '{{BaseURL}}/%0a/example.com/'`
			`- '{{BaseURL}}/%0d/example.com/'`
			`- '{{BaseURL}}////example.com/%2f%2e%2e'`
			`- '{{BaseURL}}/%5cexample.com/%2f%2e%2e'`
			`- '{{BaseURL}}/{{BaseURL}}example.com'`
			`- '{{BaseURL}}//{{BaseURL}}example.com/'`
			`- '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e'`
			`- '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e'`
Update open-redirect.yaml 2021-05-06 22:38:09 +00:00			- '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&diexample.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
Update open-redirect.yaml this payload worked for me while i was hunting. 2021-06-21 08:21:44 +00:00			`- '{{BaseURL}}/1/_https@example.com'`
Additional check add 2021-06-29 11:56:42 +00:00
Added stop-at-first-match in applicable templates 2021-09-02 11:59:10 +00:00			`stop-at-first-match: true`
Additional check add 2021-06-29 11:56:42 +00:00			`matchers-condition: and`
payload updates 2021-02-14 11:41:51 +00:00			`matchers:`
			`- type: regex`
			`regex:`
Simplify regex 2021-04-27 14:42:41 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?://\|//)?(?:[a-zA-Z0-9\-_\.@])example\.com.$'`
payload updates 2021-02-14 11:41:51 +00:00			`part: header`
Additional check add 2021-06-29 11:56:42 +00:00
			`- type: status`
			`status:`
			`- 302`
			`- 301`