The Hacker Recipes
GitHubTwitterExegolTools
Searchโ€ฆ
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
๐Ÿ› ๏ธ File inclusion
SQL injection
XSS (Cross-Site Scripting)
Unrestricted file upload
CSRF (Cross-Site Request Forgery)
๐Ÿ› ๏ธ HTTP parameter pollution
IDOR (Insecure Direct Object Reference)
Open redirect
Insecure JSON Web Tokens
Insecure Cookies
๐Ÿ› ๏ธ SSTI (Server-Side Template Injection)
๐Ÿ› ๏ธ Insecure deserialization
SSRF (Server-Side Request Forgery)
XXE injection
๐Ÿ› ๏ธ CRLF injection
HTTP response splitting
๐Ÿ› ๏ธ Arbitrary file download
๐Ÿ› ๏ธ Directory traversal
๐Ÿ› ๏ธ Null-byte injection
๐Ÿ› ๏ธ Content-type juggling
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
๐Ÿ› ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐Ÿ› ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐Ÿ› ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐Ÿ› ๏ธ mobile apps
Android
iOS
Powered By GitBook
Open redirect

Theory

Many web applications make redirections based on parameters that users can easily control, like GET parameters. When the application fails to properly check and filter these inputs, they can be vulnerable to Open Redirect where attacker can redirect users to a malicious website. Open Redirect vulnerabilities are exploited in phishing attacks to redirect users from a trusted website to an attacker-controlled one. In well executed attacks, most of the users would not notice it without carefully looking at the URL to see the difference.
Open Redirect vulnerabilities are usually found when browsing a page, being asked to log in, and then being redirected to the original page when logged in. These mechanisms greatly improve the UX (user experience) but when they are badly implemented, they can lead to vulnerabilities from low to medium severity.

Practice

Testers need to find inputs vectors used by the website for redirections. They usually are GET parameters with string values that are sometimes base64 encoded like:
Testers can then try to replace those values with different URLs and analyze de redirection.
Some bugbounty tools like waybackurls (Go), hakrawler (Go) and gf (Go) can help find vulnerable endpoints.
cat subdomains | waybackurls | tee -a urls
cat subdomains | hakrawler -depth 3 -plain | tee -a urls
gf redirect urls
Using redirect.json with gf like:
{
"flags" : "-HanrE",
"pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
}
Redirections can be header based (location header sent from the server), or Javascript based (will not work fro server-side functions, but could redirect to javascript:something() and cause an XSS).
The impact of this vulnerability is debated. Open redirects can help in phishing attacks but in some cases, it could help exploit an XSS, a SSRF or a CSRF, hence increasing the impact.

References

Open Redirect Vulnerability
s0cket7
Open redirection (reflected)
Open redirection (stored)
DOM-based open redirection | Web Security Academy
WebSecAcademy
Open Redirection Guide
0x00sec - The Home of the Hacker
PayloadsAllTheThings/Open Redirect at master ยท swisskyrepo/PayloadsAllTheThings
GitHub
Previous
IDOR (Insecure Direct Object Reference)
Next
Insecure JSON Web Tokens
Last modified 1yr ago
Copy link
Outline
Theory
Practice
References