open-redirect: Open Redirect Detection

id: open-redirect

info:
  name: Open Redirect Detection
  author: princechaddha,AmirHossein Raeisi
  severity: medium
  metadata:
    max-request: 1
  tags: redirect,dast,vuln

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      redirect:
        - "oast.me"

    fuzzing:
      - part: query
        mode: single
        keys:
          - AuthState
          - URL
          - _url
          - callback
          - checkout
          - checkout_url
          - content
          - continue
          - continueTo
          - counturl
          - data
          - dest
          - dest_url
          - destination
          - dir
          - document
          - domain
          - done
          - download
          - feed
          - file
          - file_name
          - file_url
          - folder
          - folder_url
          - forward
          - from_url
          - go
          - goto
          - host
          - html
          - http
          - https
          - image
          - image_src
          - image_url
          - imageurl
          - img
          - img_url
          - include
          - langTo
          - load_file
          - load_url
          - login_to
          - login_url
          - logout
          - media
          - navigation
          - next
          - next_page
          - open
          - out
          - page
          - page_url
          - pageurl
          - path
          - picture
          - port
          - proxy
          - r
          - r2
          - redir
          - redirect
          - redirectUri
          - redirectUrl
          - redirect_to
          - redirect_uri
          - redirect_url
          - reference
          - referrer
          - req
          - request
          - ret
          - retUrl
          - return
          - returnTo
          - return_path
          - return_to
          - return_url
          - rt
          - rurl
          - show
          - site
          - source
          - src
          - target
          - to
          - u
          - uri
          - url
          - val
          - validate
          - view
          - window
          - back
          - cgi
          - follow
          - home
          - jump
          - link
          - location
          - menu
          - move
          - nav
          - orig_url
          - out_url
          - query
          - auth
          - callback_url
          - confirm_url
          - destination_url
          - domain_url
          - entry
          - exit
          - forward_url
          - go_to
          - goto_url
          - home_url
          - image_link
          - load
          - logout_url
          - nav_to
          - origin
          - page_link
          - redirect_link
          - ref
          - referrer_url
          - return_link
          - return_to_url
          - source_url
          - target_url
          - to_url
          - validate_url
          - DirectTo
          - relay

        fuzz:
          - "https://{{redirect}}"

      - part: query
        mode: single
        values:
          - "https?://" # Replace HTTP URLs with alternatives
        fuzz:
          - "https://{{redirect}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1

      - type: status
        status:
          - 301
          - 302
          - 307
# digest: 4b0a00483046022100a79bb24814ebb6fce46310bc6ca43f0a735205eccf07838a37f372e8956cfdbf022100f2fa25d75d359997833b4406ac5acadce14328707f8b2e1896024e3c7cc7bb2a:922c64590222798bb761d5b6d8e72950