My methodology for hunting for open Redirect vulnerabilities

7 months ago 98
BOOK THIS SPACE FOR AD
ARTICLE AD

السلام عليكم يصديقي لو استفدت من المقاله اذكرني في دعائك

اللهم صل وسلم علي نبينا محمد

What is the Open Redirect :

Websites often use automatic redirects to improve user experience, such as redirecting users to a login page when they try to access a restricted area. To remember where to redirect users after they log in, the site uses a redirect URL parameter. However, attackers can exploit this by tricking users into clicking on a link that appears to lead to a legitimate site but actually redirects them to a malicious page. This is called an open-redirect attack. Another method is the referer-based open redirect, where attackers use a legitimate site’s referer header to redirect users to a malicious site after they visit the legitimate site.

Step 1: Look for Redirect Parameters:

To find redirect parameters on a website, use a proxy to browse and examine the HTTP history for parameters containing absolute or relative URLs. Look for parameters like “redirect,” “redir,” “next,” or other custom names that suggest redirection. Note that some pages may redirect without explicit parameters, indicating potential referer-based open redirects. These can be identified by observing 3XX response codes in the HTTP responses.

Step 2: Use Google Dorks to Find Additional Redirect Parameters:

To find additional redirect parameters on a website using Google dorks, use search terms like “inurl:%3Dhttp site:example.com” to find absolute URLs in parameters, and “inurl:%3D%2F site:example.com” to find relative URLs. You can also search for common redirect parameter names like “inurl:redir” or “inurl:returnurl.” Note the parameters you find along with those from Step 1
The most famous Google Dork for finding open redirects is:

inurl:redir site:example.com

inurl:redirect site:example.com

inurl:redirecturi site:example.com

inurl:redirect_uri site:example.com

inurl:redirecturl site:example.com

inurl:redirect_uri site:example.com

inurl:return site:example.com

inurl:returnurl site:example.com

inurl:relaystate site:example.com

inurl:forward site:example.com

inurl:forwardurl site:example.com

inurl:forward_url site:example.com

inurl:url site:example.com

inurl:uri site:example.com

inurl:dest site:example.com

inurl:destination site:example.com

inurl:next site:example.com

Step 3: Test for Parameter-Based Open Redirect:

To test for parameter-based open redirects, insert a random or controlled hostname into the redirect parameter and see if the site redirects to that site. Some redirects may occur immediately, while others may require specific user actions (like login or logout) before redirecting. Carry out the necessary interactions before checking for the redirect.

To bypass open-redirect protection, you can exploit flaws in URL validation. Validators often fail to account for all edge cases, allowing attackers to bypass them. One approach is to use browser autocorrect features to construct URLs that redirect offsite. Another method is to exploit loopholes in the validator’s logic, such as by creating subdomains or directories with the target’s domain name. Additionally, you can manipulate the scheme portion of the URL using data URLs or by double-URL-encoding special characters to induce an open redirect. Furthermore, inconsistencies in decoding non-ASCII characters can be exploited to bypass URL filters. Combining these techniques can help bypass more-sophisticated URL validators.

You can try these techniques that will help you

https://target.com/login?redir=https://target.com@attacker.com/target.com

https://target.com/login?redir=https://target.com.attacker.com/target.com

https://target.com/login?redir= https://attacker.com/target.com

https://target.com/login?redir= https://attacker.com.target.com

https://target.com/@attacker.com

https://target.com%2f@attacker.com

https://target.com%252f@attacker.com

https://target.com%25252f@attacker.com

https://attacker.com%252f@target.com

https://attacker.com%ff.target.com

https://attacker.com?.target.com

https://attacker.com/.target.com

https://target.com/@attacker.com/target.com

https://target.com%252f@attacker.com/target.com

Attackers can use open redirects to enhance phishing attacks by redirecting users from a legitimate site to a malicious one. For instance, they could send an email with a URL that appears to lead to a legitimate site but actually redirects to a fake login page on a malicious site. The attacker can then steal the user’s credentials when they attempt to log in. While organizations can’t fully prevent phishing, they often overlook open redirects as minor issues. However, open redirects can be part of a chain of vulnerabilities, helping attackers bypass URL restrictions and maximize the impact of other vulnerabilities like server-side request forgery (SSRF). Additionally, open redirects can be used to steal credentials and OAuth tokens by exploiting the referer HTTP request header.

linkedin::https://www.linkedin.com/in/hozayfa-nasser-2b31b8246/

Read Entire Article