fuzzdb/attack/redirect/README.md

* redirect-injection-template.txt
    * Patterns for injecting into a value for attempting to bypass many input validation filters that intended to only allow only relative links on the same origin.<br>
* redirect-urls-template.txt
    * URL patterns that commonly lead to open redirect. <br>

<b>Usage:</b> <br>
Replace {target} in files with ip or hostname and path, Examples: <br>
* evil.com <br>
* evil.com/badurl<br>
* 1.2.3.4 <br>
* 134744072<br>

<b>Testing techniques:</b><br>
Filter Bypass
* If periods are being stripped by the filter so that evil.com becomes evilcom, try converting the ip address to decimal notation form. 
http://www.geektools.com/geektools-cgi/ipconv.cgi
* Try URL-encoding the replacement value for {target}
Other Issues
* If redirect.injection.template.txt usage results in the server proxying a request to the injected URL and returning its contents instead of redirecting to it, explore how this could be used to explore the servers localhost ports for web services, protected systems in a DMZ, interact through GET requests/REST interfaces, etc. 

TODO
doc page 1.0 for open redirect patterns 2016-10-12 07:22:12 +00:00			`* redirect-injection-template.txt`
			`* Patterns for injecting into a value for attempting to bypass many input validation filters that intended to only allow only relative links on the same origin.<br>`
			`* redirect-urls-template.txt`
			`* URL patterns that commonly lead to open redirect. <br>`

Update arbitrary redirect docs 2016-10-12 07:44:16 +00:00			`<b>Usage:</b> <br>`
			`Replace {target} in files with ip or hostname and path, Examples: <br>`
doc page 1.0 for open redirect patterns 2016-10-12 07:22:12 +00:00			`* evil.com <br>`
			`* evil.com/badurl<br>`
			`* 1.2.3.4 <br>`
			`* 134744072<br>`

Update arbitrary redirect docs 2016-10-12 07:44:16 +00:00			`<b>Testing techniques:</b><br>`
			`Filter Bypass`
doc page 1.0 for open redirect patterns 2016-10-12 07:22:12 +00:00			`* If periods are being stripped by the filter so that evil.com becomes evilcom, try converting the ip address to decimal notation form.`
			`http://www.geektools.com/geektools-cgi/ipconv.cgi`
			`* Try URL-encoding the replacement value for {target}`
Update arbitrary redirect docs 2016-10-12 07:44:16 +00:00			`Other Issues`
			`* If redirect.injection.template.txt usage results in the server proxying a request to the injected URL and returning its contents instead of redirecting to it, explore how this could be used to explore the servers localhost ports for web services, protected systems in a DMZ, interact through GET requests/REST interfaces, etc.`

			`TODO`