id: headless-open-redirect info: name: Open Redirect - Detect author: theamanrawat severity: medium description: | An open redirect was detected. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cwe-id: CWE-601 tags: redirect,generic,headless headless: - steps: - args: url: '{{BaseURL}}/{{redirect}}' action: navigate - action: waitload payloads: redirect: - '%0a/oast.live/' - '%0d/oast.live/' - '%00/oast.live/' - '%09/oast.live/' - '%5C%5Coast.live/%252e%252e%252f' - '%5Coast.live' - '%5coast.live/%2f%2e%2e' - '%5c{{RootURL}}oast.live/%2f%2e%2e' - '../oast.live' - '.oast.live' - '/%5coast.live' - '////\;@oast.live' - '////oast.live' - '///oast.live' - '///oast.live/%2f%2e%2e' - '///oast.live@//' - '///{{RootURL}}oast.live/%2f%2e%2e' - '//;@oast.live' - '//\/oast.live/' - '//\@oast.live' - '//\oast.live' - '//\toast.live/' - '//oast.live/%2F..' - '//oast.live//' - '//%69%6e%74%65%72%61%63%74%2e%73%68' - '//oast.live@//' - '//oast.live\toast.live/' - '//https://oast.live@//' - '/<>//oast.live' - '/\/\/oast.live/' - '/\/oast.live' - '/\oast.live' - '/oast.live' - '/oast.live/%2F..' - '/oast.live/' - '/oast.live/..;/css' - '/https:oast.live' - '/{{RootURL}}oast.live/' - '/〱oast.live' - '/〵oast.live' - '/ゝoast.live' - '/ーoast.live' - '/ーoast.live' - '<>//oast.live' - '@oast.live' - '@https://oast.live' - '\/\/oast.live/' - 'evil%E3%80%82com' - 'oast.live' - 'oast.live/' - 'oast.live//' - 'oast.live;@' - 'https%3a%2f%2foast.live%2f' - 'https:%0a%0doast.live' - 'https://%0a%0doast.live' - 'https://%09/oast.live' - 'https://%2f%2f.oast.live/' - 'https://%3F.oast.live/' - 'https://%5c%5c.oast.live/' - 'https://%5coast.live@' - 'https://%23.oast.live/' - 'https://.oast.live' - 'https://////oast.live' - 'https:///oast.live' - 'https:///oast.live/%2e%2e' - 'https:///oast.live/%2f%2e%2e' - 'https:///oast.live@oast.live/%2e%2e' - 'https:///oast.live@oast.live/%2f%2e%2e' - 'https://:80#@oast.live/' - 'https://:80?@oast.live/' - 'https://:@\@oast.live' - 'https://:@oast.live\@oast.live' - 'https://;@oast.live' - 'https://\toast.live/' - 'https://oast.live/oast.live' - 'https://oast.live/https://oast.live/' - 'https://www.\.oast.live' - 'https:/\/\oast.live' - 'https:/\oast.live' - 'https:/oast.live' - 'https:oast.live' - '{{RootURL}}oast.live' - '〱oast.live' - '〵oast.live' - 'ゝoast.live' - 'ーoast.live' - 'ーoast.live' - 'redirect/oast.live' - 'cgi-bin/redirect.cgi?oast.live' - 'out?oast.live' - 'login?to=http://oast.live' stop-at-first-match: true matchers: - type: word part: body words: - "Interactsh Server" # digest: 4b0a00483046022100a8c70dc73a12a3a282a012774a3a10a99f153d80d4c16a01f2bb4bd9770903dc022100f491074035d26885797db4152bad2ecd436ebf4d1f7fa479d402303ceac17db0:922c64590222798bb761d5b6d8e72950