From 7cc2da843fe8b8794031ece43253e93463fe8a4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Thu, 11 Jul 2024 12:02:28 +0200 Subject: [PATCH 1/3] Using different URL as we don't know who evil.com is controlled by --- .../redirect/open-redirect.yaml | 6 +- .../generic/open-redirect-generic.yaml | 188 +++++++++--------- 2 files changed, 97 insertions(+), 97 deletions(-) diff --git a/dast/vulnerabilities/redirect/open-redirect.yaml b/dast/vulnerabilities/redirect/open-redirect.yaml index 736d0bd7c1..47d693a75a 100644 --- a/dast/vulnerabilities/redirect/open-redirect.yaml +++ b/dast/vulnerabilities/redirect/open-redirect.yaml @@ -16,7 +16,7 @@ http: payloads: redirect: - - "evil.com" + - "example.com" fuzzing: - part: query @@ -174,11 +174,11 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 - type: status status: - 301 - 302 - 307 -# digest: 490a004630440220798dab0882b46e287f296c1f1ba1f9b47422c2b080486183184727f3de119087022044b26046d5aba5529bb7583ccebd65748198fff98a625c16b07432abf5a4fe8c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 490a004630440220798dab0882b46e287f296c1f1ba1f9b47422c2b080486183184727f3de119087022044b26046d5aba5529bb7583ccebd65748198fff98a625c16b07432abf5a4fe8c:922c64590222798bb761d5b6d8e72950 diff --git a/http/vulnerabilities/generic/open-redirect-generic.yaml b/http/vulnerabilities/generic/open-redirect-generic.yaml index 10879db292..dbb5973f19 100644 --- a/http/vulnerabilities/generic/open-redirect-generic.yaml +++ b/http/vulnerabilities/generic/open-redirect-generic.yaml @@ -20,99 +20,99 @@ http: payloads: redirect: - - '%0a/evil.com/' - - '%0d/evil.com/' - - '%00/evil.com/' - - '%09/evil.com/' - - '%5C%5Cevil.com/%252e%252e%252f' - - '%5Cevil.com' - - '%5cevil.com/%2f%2e%2e' - - '%5c{{RootURL}}evil.com/%2f%2e%2e' - - '../evil.com' - - '.evil.com' - - '/%5cevil.com' - - '////\;@evil.com' - - '////evil.com' - - '///evil.com' - - '///evil.com/%2f%2e%2e' - - '///evil.com@//' - - '///{{RootURL}}evil.com/%2f%2e%2e' - - '//;@evil.com' - - '//\/evil.com/' - - '//\@evil.com' - - '//\evil.com' - - '//\tevil.com/' - - '//evil.com/%2F..' - - '//evil.com//' + - '%0a/example.com/' + - '%0d/example.com/' + - '%00/example.com/' + - '%09/example.com/' + - '%5C%5Cexample.com/%252e%252e%252f' + - '%5Cexample.com' + - '%5cexample.com/%2f%2e%2e' + - '%5c{{RootURL}}example.com/%2f%2e%2e' + - '../example.com' + - '.example.com' + - '/%5cexample.com' + - '////\;@example.com' + - '////example.com' + - '///example.com' + - '///example.com/%2f%2e%2e' + - '///example.com@//' + - '///{{RootURL}}example.com/%2f%2e%2e' + - '//;@example.com' + - '//\/example.com/' + - '//\@example.com' + - '//\example.com' + - '//\texample.com/' + - '//example.com/%2F..' + - '//example.com//' - '//%69%6e%74%65%72%61%63%74%2e%73%68' - - '//evil.com@//' - - '//evil.com\tevil.com/' - - '//https://evil.com//' - - '/<>//evil.com' - - '/\/\/evil.com/' - - '/\/evil.com' - - '/\evil.com' - - '/evil.com' - - '/evil.com/%2F..' - - '/evil.com/' - - '/evil.com/..;/css' - - '/https:evil.com' - - '/{{RootURL}}evil.com/' - - '/〱evil.com' - - '/〵evil.com' - - '/ゝevil.com' - - '/ーevil.com' - - '/ーevil.com' - - '<>//evil.com' - - '@evil.com' - - '@https://evil.com' - - '\/\/evil.com/' - - 'evil%E3%80%82com' - - 'evil.com' - - 'evil.com/' - - 'evil.com//' - - 'evil.com;@' - - 'https%3a%2f%2fevil.com%2f' - - 'https:%0a%0devil.com' - - 'https://%0a%0devil.com' - - 'https://%09/evil.com' - - 'https://%2f%2f.evil.com/' - - 'https://%3F.evil.com/' - - 'https://%5c%5c.evil.com/' - - 'https://%5cevil.com@' - - 'https://%23.evil.com/' - - 'https://.evil.com' - - 'https://////evil.com' - - 'https:///evil.com' - - 'https:///evil.com/%2e%2e' - - 'https:///evil.com/%2f%2e%2e' - - 'https:///evil.com@evil.com/%2e%2e' - - 'https:///evil.com@evil.com/%2f%2e%2e' - - 'https://:80#@evil.com/' - - 'https://:80?@evil.com/' - - 'https://:@\@evil.com' - - 'https://:@evil.com\@evil.com' - - 'https://;@evil.com' - - 'https://\tevil.com/' - - 'https://evil.com/evil.com' - - 'https://evil.com/https://evil.com/' - - 'https://www.\.evil.com' - - 'https:/\/\evil.com' - - 'https:/\evil.com' - - 'https:/evil.com' - - 'https:evil.com' - - '{{RootURL}}evil.com' - - '〱evil.com' - - '〵evil.com' - - 'ゝevil.com' - - 'ーevil.com' - - 'ーevil.com' - - 'redirect/evil.com' - - 'cgi-bin/redirect.cgi?evil.com' - - 'out?evil.com' - - 'login?to=http://evil.com' - - '1/_https@evil.com' - - 'redirect?targeturl=https://evil.com' + - '//example.com@//' + - '//example.com\texample.com/' + - '//https://example.com//' + - '/<>//example.com' + - '/\/\/example.com/' + - '/\/example.com' + - '/\example.com' + - '/example.com' + - '/example.com/%2F..' + - '/example.com/' + - '/example.com/..;/css' + - '/https:example.com' + - '/{{RootURL}}example.com/' + - '/〱example.com' + - '/〵example.com' + - '/ゝexample.com' + - '/ーexample.com' + - '/ーexample.com' + - '<>//example.com' + - '@example.com' + - '@https://example.com' + - '\/\/example.com/' + - 'example%E3%80%82com' + - 'example.com' + - 'example.com/' + - 'example.com//' + - 'example.com;@' + - 'https%3a%2f%2fexample.com%2f' + - 'https:%0a%0dexample.com' + - 'https://%0a%0dexample.com' + - 'https://%09/example.com' + - 'https://%2f%2f.example.com/' + - 'https://%3F.example.com/' + - 'https://%5c%5c.example.com/' + - 'https://%5cexample.com@' + - 'https://%23.example.com/' + - 'https://.example.com' + - 'https://////example.com' + - 'https:///example.com' + - 'https:///example.com/%2e%2e' + - 'https:///example.com/%2f%2e%2e' + - 'https:///example.com@example.com/%2e%2e' + - 'https:///example.com@example.com/%2f%2e%2e' + - 'https://:80#@example.com/' + - 'https://:80?@example.com/' + - 'https://:@\@example.com' + - 'https://:@example.com\@example.com' + - 'https://;@example.com' + - 'https://\texample.com/' + - 'https://example.com/example.com' + - 'https://example.com/https://example.com/' + - 'https://www.\.example.com' + - 'https:/\/\example.com' + - 'https:/\example.com' + - 'https:/example.com' + - 'https:example.com' + - '{{RootURL}}example.com' + - '〱example.com' + - '〵example.com' + - 'ゝexample.com' + - 'ーexample.com' + - 'ーexample.com' + - 'redirect/example.com' + - 'cgi-bin/redirect.cgi?example.com' + - 'out?example.com' + - 'login?to=http://example.com' + - '1/_https@example.com' + - 'redirect?targeturl=https://example.com' stop-at-first-match: true @@ -121,7 +121,7 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - type: status status: @@ -130,4 +130,4 @@ http: - 307 - 308 condition: or -# digest: 4b0a00483046022100f4fe9201a11ea90485c2a26c406a0dbecb9ea8e674bf3ccbcaf01ed4c57421c3022100a9c075d4a231b4acd4adfce87b2f858c65cb9dc3b896d7b07759c4395e0be18f:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100f4fe9201a11ea90485c2a26c406a0dbecb9ea8e674bf3ccbcaf01ed4c57421c3022100a9c075d4a231b4acd4adfce87b2f858c65cb9dc3b896d7b07759c4395e0be18f:922c64590222798bb761d5b6d8e72950 From 64cbf97e14ddf184d967abc024fae9dc71b30fe5 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 14 Jul 2024 13:36:22 +0530 Subject: [PATCH 2/3] updated domain --- .../redirect/open-redirect.yaml | 4 +- .../generic/open-redirect-generic.yaml | 184 +++++++++--------- 2 files changed, 94 insertions(+), 94 deletions(-) diff --git a/dast/vulnerabilities/redirect/open-redirect.yaml b/dast/vulnerabilities/redirect/open-redirect.yaml index 47d693a75a..50d350f14d 100644 --- a/dast/vulnerabilities/redirect/open-redirect.yaml +++ b/dast/vulnerabilities/redirect/open-redirect.yaml @@ -16,7 +16,7 @@ http: payloads: redirect: - - "example.com" + - "oast.me" fuzzing: - part: query @@ -174,7 +174,7 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 - type: status status: diff --git a/http/vulnerabilities/generic/open-redirect-generic.yaml b/http/vulnerabilities/generic/open-redirect-generic.yaml index dbb5973f19..c3d8e7880f 100644 --- a/http/vulnerabilities/generic/open-redirect-generic.yaml +++ b/http/vulnerabilities/generic/open-redirect-generic.yaml @@ -20,99 +20,99 @@ http: payloads: redirect: - - '%0a/example.com/' - - '%0d/example.com/' - - '%00/example.com/' - - '%09/example.com/' - - '%5C%5Cexample.com/%252e%252e%252f' - - '%5Cexample.com' - - '%5cexample.com/%2f%2e%2e' - - '%5c{{RootURL}}example.com/%2f%2e%2e' - - '../example.com' - - '.example.com' - - '/%5cexample.com' - - '////\;@example.com' - - '////example.com' - - '///example.com' - - '///example.com/%2f%2e%2e' - - '///example.com@//' - - '///{{RootURL}}example.com/%2f%2e%2e' - - '//;@example.com' - - '//\/example.com/' - - '//\@example.com' - - '//\example.com' - - '//\texample.com/' - - '//example.com/%2F..' - - '//example.com//' + - '%0a/oast.me/' + - '%0d/oast.me/' + - '%00/oast.me/' + - '%09/oast.me/' + - '%5C%5Coast.me/%252e%252e%252f' + - '%5Coast.me' + - '%5coast.me/%2f%2e%2e' + - '%5c{{RootURL}}oast.me/%2f%2e%2e' + - '../oast.me' + - '.oast.me' + - '/%5coast.me' + - '////\;@oast.me' + - '////oast.me' + - '///oast.me' + - '///oast.me/%2f%2e%2e' + - '///oast.me@//' + - '///{{RootURL}}oast.me/%2f%2e%2e' + - '//;@oast.me' + - '//\/oast.me/' + - '//\@oast.me' + - '//\oast.me' + - '//\toast.me/' + - '//oast.me/%2F..' + - '//oast.me//' - '//%69%6e%74%65%72%61%63%74%2e%73%68' - - '//example.com@//' - - '//example.com\texample.com/' - - '//https://example.com//' - - '/<>//example.com' - - '/\/\/example.com/' - - '/\/example.com' - - '/\example.com' - - '/example.com' - - '/example.com/%2F..' - - '/example.com/' - - '/example.com/..;/css' - - '/https:example.com' - - '/{{RootURL}}example.com/' - - '/〱example.com' - - '/〵example.com' - - '/ゝexample.com' - - '/ーexample.com' - - '/ーexample.com' - - '<>//example.com' - - '@example.com' - - '@https://example.com' - - '\/\/example.com/' + - '//oast.me@//' + - '//oast.me\toast.me/' + - '//https://oast.me//' + - '/<>//oast.me' + - '/\/\/oast.me/' + - '/\/oast.me' + - '/\oast.me' + - '/oast.me' + - '/oast.me/%2F..' + - '/oast.me/' + - '/oast.me/..;/css' + - '/https:oast.me' + - '/{{RootURL}}oast.me/' + - '/〱oast.me' + - '/〵oast.me' + - '/ゝoast.me' + - '/ーoast.me' + - '/ーoast.me' + - '<>//oast.me' + - '@oast.me' + - '@https://oast.me' + - '\/\/oast.me/' - 'example%E3%80%82com' - - 'example.com' - - 'example.com/' - - 'example.com//' - - 'example.com;@' - - 'https%3a%2f%2fexample.com%2f' - - 'https:%0a%0dexample.com' - - 'https://%0a%0dexample.com' - - 'https://%09/example.com' - - 'https://%2f%2f.example.com/' - - 'https://%3F.example.com/' - - 'https://%5c%5c.example.com/' - - 'https://%5cexample.com@' - - 'https://%23.example.com/' - - 'https://.example.com' - - 'https://////example.com' - - 'https:///example.com' - - 'https:///example.com/%2e%2e' - - 'https:///example.com/%2f%2e%2e' - - 'https:///example.com@example.com/%2e%2e' - - 'https:///example.com@example.com/%2f%2e%2e' - - 'https://:80#@example.com/' - - 'https://:80?@example.com/' - - 'https://:@\@example.com' - - 'https://:@example.com\@example.com' - - 'https://;@example.com' - - 'https://\texample.com/' - - 'https://example.com/example.com' - - 'https://example.com/https://example.com/' - - 'https://www.\.example.com' - - 'https:/\/\example.com' - - 'https:/\example.com' - - 'https:/example.com' - - 'https:example.com' - - '{{RootURL}}example.com' - - '〱example.com' - - '〵example.com' - - 'ゝexample.com' - - 'ーexample.com' - - 'ーexample.com' - - 'redirect/example.com' - - 'cgi-bin/redirect.cgi?example.com' - - 'out?example.com' - - 'login?to=http://example.com' - - '1/_https@example.com' - - 'redirect?targeturl=https://example.com' + - 'oast.me' + - 'oast.me/' + - 'oast.me//' + - 'oast.me;@' + - 'https%3a%2f%2foast.me%2f' + - 'https:%0a%0doast.me' + - 'https://%0a%0doast.me' + - 'https://%09/oast.me' + - 'https://%2f%2f.oast.me/' + - 'https://%3F.oast.me/' + - 'https://%5c%5c.oast.me/' + - 'https://%5coast.me@' + - 'https://%23.oast.me/' + - 'https://.oast.me' + - 'https://////oast.me' + - 'https:///oast.me' + - 'https:///oast.me/%2e%2e' + - 'https:///oast.me/%2f%2e%2e' + - 'https:///oast.me@oast.me/%2e%2e' + - 'https:///oast.me@oast.me/%2f%2e%2e' + - 'https://:80#@oast.me/' + - 'https://:80?@oast.me/' + - 'https://:@\@oast.me' + - 'https://:@oast.me\@oast.me' + - 'https://;@oast.me' + - 'https://\toast.me/' + - 'https://oast.me/oast.me' + - 'https://oast.me/https://oast.me/' + - 'https://www.\.oast.me' + - 'https:/\/\oast.me' + - 'https:/\oast.me' + - 'https:/oast.me' + - 'https:oast.me' + - '{{RootURL}}oast.me' + - '〱oast.me' + - '〵oast.me' + - 'ゝoast.me' + - 'ーoast.me' + - 'ーoast.me' + - 'redirect/oast.me' + - 'cgi-bin/redirect.cgi?oast.me' + - 'out?oast.me' + - 'login?to=http://oast.me' + - '1/_https@oast.me' + - 'redirect?targeturl=https://oast.me' stop-at-first-match: true @@ -121,7 +121,7 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - type: status status: From 31d5e16128a034293db3ec5cc74bd0a9f5433a4f Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 14 Jul 2024 13:41:38 +0530 Subject: [PATCH 3/3] updated payload --- http/vulnerabilities/generic/open-redirect-generic.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/vulnerabilities/generic/open-redirect-generic.yaml b/http/vulnerabilities/generic/open-redirect-generic.yaml index c3d8e7880f..025d5a3294 100644 --- a/http/vulnerabilities/generic/open-redirect-generic.yaml +++ b/http/vulnerabilities/generic/open-redirect-generic.yaml @@ -44,7 +44,7 @@ http: - '//\toast.me/' - '//oast.me/%2F..' - '//oast.me//' - - '//%69%6e%74%65%72%61%63%74%2e%73%68' + - '//%6f%61%73%74%2e%6d%65' - '//oast.me@//' - '//oast.me\toast.me/' - '//https://oast.me//' @@ -67,7 +67,7 @@ http: - '@oast.me' - '@https://oast.me' - '\/\/oast.me/' - - 'example%E3%80%82com' + - 'oast%E3%80%82me' - 'oast.me' - 'oast.me/' - 'oast.me//'