From ce7b60d79c2824407377326ec811890ee27f0041 Mon Sep 17 00:00:00 2001 From: Emad Youssef <48482029+Sy3Omda@users.noreply.github.com> Date: Sun, 26 Dec 2021 17:23:11 +0200 Subject: [PATCH] Update open-redirect.yaml (#3404) * Update open-redirect.yaml add new payloads * minor update Co-authored-by: sandeep --- vulnerabilities/generic/open-redirect.yaml | 126 ++++++++++++++++----- 1 file changed, 98 insertions(+), 28 deletions(-) diff --git a/vulnerabilities/generic/open-redirect.yaml b/vulnerabilities/generic/open-redirect.yaml index 2d467fa712..2598c937eb 100644 --- a/vulnerabilities/generic/open-redirect.yaml +++ b/vulnerabilities/generic/open-redirect.yaml @@ -8,45 +8,115 @@ info: tags: redirect,generic requests: - - method: GET + - raw: + - | + GET /{{redirect}} HTTP/1.1 + Host: {{Hostname}} - path: - - '{{BaseURL}}/example.com/' - - '{{BaseURL}}/example.com//' - - '{{BaseURL}}///;@example.com' - - '{{BaseURL}}///example.com/%2F..' - - '{{BaseURL}}/////example.com' - - '{{BaseURL}}//example.com/%2F..' - - '{{BaseURL}}//example.com/..;/css' - - '{{BaseURL}}/example%E3%80%82com' - - '{{BaseURL}}/%5Cexample.com' - - '{{BaseURL}}/example.com' - - '{{BaseURL}}//example.com/' - - '{{BaseURL}}/%00/example.com/' - - '{{BaseURL}}/%09/example.com/' - - '{{BaseURL}}/%0a/example.com/' - - '{{BaseURL}}/%0d/example.com/' - - '{{BaseURL}}////example.com/%2f%2e%2e' - - '{{BaseURL}}/%5cexample.com/%2f%2e%2e' - - '{{BaseURL}}/%5C%5Cexample.com/%252e%252e%252f' - - '{{BaseURL}}/{{BaseURL}}example.com' - - '{{BaseURL}}//{{BaseURL}}example.com/' - - '{{BaseURL}}////{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}/%5c{{BaseURL}}example.com/%2f%2e%2e' - - '{{BaseURL}}/?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' - - '{{BaseURL}}/1/_https@example.com' + payloads: + redirect: + - '%0a/example.com/' + - '%0d/example.com/' + - '%00/example.com/' + - '%09/example.com/' + - '%5C%5Cexample.com/%252e%252e%252f' + - '%5Cexample.com' + - '%5cexample.com/%2f%2e%2e' + - '%5c{{RootURL}}example.com/%2f%2e%2e' + - '../example.com' + - '.example.com' + - '/%5cexample.com' + - '////\;@example.com' + - '////example.com' + - '///example.com' + - '///example.com/%2f%2e%2e' + - '///example.com@//' + - '///{{RootURL}}example.com/%2f%2e%2e' + - '//;@example.com' + - '//\/example.com/' + - '//\@example.com' + - '//\example.com' + - '//\texample.com/' + - '//example.com/%2F..' + - '//example.com//' + - '//example.com@//' + - '//example.com\texample.com/' + - '//https://example.com@//' + - '/<>//example.com' + - '/\/\/example.com/' + - '/\/example.com' + - '/\example.com' + - '/example.com' + - '/example.com/%2F..' + - '/example.com/' + - '/example.com/..;/css' + - '/https:example.com' + - '/{{RootURL}}example.com/' + - '/〱example.com' + - '/〵example.com' + - '/ゝexample.com' + - '/ーexample.com' + - '/ーexample.com' + - '<>//example.com' + - '@example.com' + - '@https://example.com' + - '\/\/example.com/' + - 'example%E3%80%82com' + - 'example.com' + - 'example.com/' + - 'example.com//' + - 'example.com;@' + - 'https%3a%2f%2fexample.com%2f' + - 'https:%0a%0dexample.com' + - 'https://%0a%0dexample.com' + - 'https://%09/example.com' + - 'https://%2f%2f.example.com/' + - 'https://%3F.example.com/' + - 'https://%5c%5c.example.com/' + - 'https://%5cexample.com@' + - 'https://%23.example.com/' + - 'https://.example.com' + - 'https://////example.com' + - 'https:///example.com' + - 'https:///example.com/%2e%2e' + - 'https:///example.com/%2f%2e%2e' + - 'https:///example.com@example.com/%2e%2e' + - 'https:///example.com@example.com/%2f%2e%2e' + - 'https://:80#@example.com/' + - 'https://:80?@example.com/' + - 'https://:@\@example.com' + - 'https://:@example.com\@example.com' + - 'https://:@example.com\@WillBeReplaced.com' + - 'https://;@example.com' + - 'https://\texample.com/' + - 'https://example.com/example.com' + - 'https://example.com/https://example.com/' + - 'https://www.\.example.com' + - 'https:/\/\example.com' + - 'https:/\example.com' + - 'https:/example.com' + - 'https:example.com' + - '{{RootURL}}example.com' + - '〱example.com' + - '〵example.com' + - 'ゝexample.com' + - 'ーexample.com' + - 'ーexample.com' + - '?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' stop-at-first-match: true matchers-condition: and matchers: + - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - type: status status: - 301 - 302 - 307 - - 308 \ No newline at end of file + - 308 + condition: or \ No newline at end of file