Openredirect
Identification
The following is a list of common injection parameters:
https://book.hacktricks.xyz/pentesting-web/open-redirect#common-injection-parameters
Redirect to localhost or arbitrary domains
- Localhost
Try reaching localhost, potentially identify internal open ports:
- Arbitrary domains
Use different encoding formats to bypass the regex.
Examples:
Open Redirect to XSS
Basic payload, javascript code is executed after "javascript:"
Bypass "javascript" word filter with CRLF
Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
This bypasses FILTER_VALIDATE_URL os PHP
Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
Others
Tools
- Fuzzing Lists
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect/Intruder
- Oralyzer
https://github.com/r0075h3ll/Oralyzer
- Recollapse
https://github.com/0xacb/recollapse
Once obtained an openredirect, if we want to redirect to a malicious site, we can generate a wordlist that will try to bypass regex.
recollapse -e 1 -p 1,2,4 -r 10-11 https://legit.example.com
Last updated