nuclei-templates/dast/vulnerabilities/redirect/open-redirect.yaml

id: open-redirect

info:
  name: Open Redirect Detection
  author: princechaddha,AmirHossein Raeisi
  severity: medium
  metadata:
    max-request: 1
  tags: redirect,dast

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      redirect:
        - "oast.me"

    fuzzing:
      - part: query
        mode: single
        keys:
          - AuthState
          - URL
          - _url
          - callback
          - checkout
          - checkout_url
          - content
          - continue
          - continueTo
          - counturl
          - data
          - dest
          - dest_url
          - destination
          - dir
          - document
          - domain
          - done
          - download
          - feed
          - file
          - file_name
          - file_url
          - folder
          - folder_url
          - forward
          - from_url
          - go
          - goto
          - host
          - html
          - http
          - https
          - image
          - image_src
          - image_url
          - imageurl
          - img
          - img_url
          - include
          - langTo
          - load_file
          - load_url
          - login_to
          - login_url
          - logout
          - media
          - navigation
          - next
          - next_page
          - open
          - out
          - page
          - page_url
          - pageurl
          - path
          - picture
          - port
          - proxy
          - r
          - r2
          - redir
          - redirect
          - redirectUri
          - redirectUrl
          - redirect_to
          - redirect_uri
          - redirect_url
          - reference
          - referrer
          - req
          - request
          - ret
          - retUrl
          - return
          - returnTo
          - return_path
          - return_to
          - return_url
          - rt
          - rurl
          - show
          - site
          - source
          - src
          - target
          - to
          - u
          - uri
          - url
          - val
          - validate
          - view
          - window
          - back
          - cgi
          - follow
          - home
          - jump
          - link
          - location
          - menu
          - move
          - nav
          - orig_url
          - out_url
          - query
          - auth
          - callback_url
          - confirm_url
          - destination_url
          - domain_url
          - entry
          - exit
          - forward_url
          - go_to
          - goto_url
          - home_url
          - image_link
          - load
          - logout_url
          - nav_to
          - origin
          - page_link
          - redirect_link
          - ref
          - referrer_url
          - return_link
          - return_to_url
          - source_url
          - target_url
          - to_url
          - validate_url
          - DirectTo
          - relay

        fuzz:
          - "https://{{redirect}}"

      - part: query
        mode: single
        values:
          - "https?://" # Replace HTTP URLs with alternatives
        fuzz:
          - "https://{{redirect}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1

      - type: status
        status:
          - 301
          - 302
          - 307
# digest: 490a004630440220798dab0882b46e287f296c1f1ba1f9b47422c2b080486183184727f3de119087022044b26046d5aba5529bb7583ccebd65748198fff98a625c16b07432abf5a4fe8c:922c64590222798bb761d5b6d8e72950
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`id: open-redirect`

			`info:`
			`name: Open Redirect Detection`
minor update 2024-05-14 06:44:52 +00:00			`author: princechaddha,AmirHossein Raeisi`
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`severity: medium`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`metadata:`
			`max-request: 1`
misc update 2024-03-23 09:32:51 +00:00			`tags: redirect,dast`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`http:`
format update 2024-03-31 19:55:42 +00:00			`- pre-condition:`
Added applicable filters 2024-03-26 07:21:56 +00:00			`- type: dsl`
			`dsl:`
			`- 'method == "GET"'`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`payloads:`
			`redirect:`
updated domain 2024-07-14 08:06:22 +00:00			`- "oast.me"`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`fuzzing:`
			`- part: query`
			`mode: single`
			`keys:`
			`- AuthState`
			`- URL`
			`- _url`
			`- callback`
			`- checkout`
			`- checkout_url`
			`- content`
			`- continue`
			`- continueTo`
			`- counturl`
			`- data`
			`- dest`
			`- dest_url`
			`- destination`
			`- dir`
			`- document`
			`- domain`
			`- done`
			`- download`
			`- feed`
			`- file`
			`- file_name`
			`- file_url`
			`- folder`
			`- folder_url`
			`- forward`
			`- from_url`
			`- go`
			`- goto`
			`- host`
			`- html`
			`- http`
			`- https`
			`- image`
			`- image_src`
			`- image_url`
			`- imageurl`
			`- img`
			`- img_url`
			`- include`
			`- langTo`
			`- load_file`
			`- load_url`
			`- login_to`
			`- login_url`
			`- logout`
			`- media`
			`- navigation`
			`- next`
			`- next_page`
			`- open`
			`- out`
			`- page`
			`- page_url`
			`- pageurl`
			`- path`
			`- picture`
			`- port`
			`- proxy`
			`- r`
			`- r2`
			`- redir`
			`- redirect`
			`- redirectUri`
			`- redirectUrl`
			`- redirect_to`
			`- redirect_uri`
			`- redirect_url`
			`- reference`
			`- referrer`
			`- req`
			`- request`
			`- ret`
			`- retUrl`
			`- return`
			`- returnTo`
			`- return_path`
			`- return_to`
			`- return_url`
			`- rt`
			`- rurl`
			`- show`
			`- site`
			`- source`
			`- src`
			`- target`
			`- to`
			`- u`
			`- uri`
			`- url`
			`- val`
			`- validate`
			`- view`
			`- window`
			`- back`
			`- cgi`
			`- follow`
			`- home`
			`- jump`
			`- link`
			`- location`
			`- menu`
			`- move`
			`- nav`
			`- orig_url`
			`- out_url`
			`- query`
			`- auth`
			`- callback_url`
			`- confirm_url`
			`- destination_url`
			`- domain_url`
			`- entry`
			`- exit`
			`- forward_url`
			`- go_to`
			`- goto_url`
			`- home_url`
			`- image_link`
			`- load`
			`- logout_url`
			`- nav_to`
			`- origin`
			`- page_link`
			`- redirect_link`
			`- ref`
			`- referrer_url`
			`- return_link`
			`- return_to_url`
			`- source_url`
			`- target_url`
			`- to_url`
			`- validate_url`
			`- DirectTo`
			`- relay`
lint fix 2024-03-16 19:08:33 +00:00
Added fuzzing templates 2024-03-16 18:44:49 +00:00			`fuzz:`
			`- "https://{{redirect}}"`

			`- part: query`
			`mode: single`
			`values:`
			`- "https?://" # Replace HTTP URLs with alternatives`
			`fuzz:`
			`- "https://{{redirect}}"`

			`stop-at-first-match: true`
			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: header`
			`regex:`
updated domain 2024-07-14 08:06:22 +00:00			`- '(?m)^(?:Location\s?:\s?)(?:https?:\/\/\|\/\/\|\/\\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@])oast\.me\/?(\/\|[^.].)?$' # https://regex101.com/r/idfD2e/1`
Added fuzzing templates 2024-03-16 18:44:49 +00:00
			`- type: status`
			`status:`
			`- 301`
			`- 302`
			`- 307`
Using different URL as we don't know who evil.com is controlled by 2024-07-11 10:02:28 +00:00			`# digest: 490a004630440220798dab0882b46e287f296c1f1ba1f9b47422c2b080486183184727f3de119087022044b26046d5aba5529bb7583ccebd65748198fff98a625c16b07432abf5a4fe8c:922c64590222798bb761d5b6d8e72950`