id: open-redirect info: name: Open Redirect Detection author: princechaddha severity: medium tags: redirect,dast http: - pre-condition: - type: dsl dsl: - 'method == "GET"' payloads: redirect: - "evil.com" fuzzing: - part: query mode: single keys: - AuthState - URL - _url - callback - checkout - checkout_url - content - continue - continueTo - counturl - data - dest - dest_url - destination - dir - document - domain - done - download - feed - file - file_name - file_url - folder - folder_url - forward - from_url - go - goto - host - html - http - https - image - image_src - image_url - imageurl - img - img_url - include - langTo - load_file - load_url - login_to - login_url - logout - media - navigation - next - next_page - open - out - page - page_url - pageurl - path - picture - port - proxy - r - r2 - redir - redirect - redirectUri - redirectUrl - redirect_to - redirect_uri - redirect_url - reference - referrer - req - request - ret - retUrl - return - returnTo - return_path - return_to - return_url - rt - rurl - show - site - source - src - target - to - u - uri - url - val - validate - view - window - back - cgi - follow - home - jump - link - location - menu - move - nav - orig_url - out_url - query - auth - callback_url - confirm_url - destination_url - domain_url - entry - exit - forward_url - go_to - goto_url - home_url - image_link - load - logout_url - nav_to - origin - page_link - redirect_link - ref - referrer_url - return_link - return_to_url - source_url - target_url - to_url - validate_url - DirectTo - relay fuzz: - "https://{{redirect}}" - part: query mode: single values: - "https?://" # Replace HTTP URLs with alternatives fuzz: - "https://{{redirect}}" stop-at-first-match: true matchers-condition: and matchers: - type: regex part: header regex: - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)evil\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - type: status status: - 301 - 302 - 307 # digest: 4a0a004730450221009817b3fc85a64de37095f99e9bc9606b18a5a9ee3273af0405634e1b2760458c02201a1430837a69b1a03bece85a3966c0042aaddc52f45baedb9191e95936860b0c:922c64590222798bb761d5b6d8e72950