[OPEN REDIRECT]
GENERAL INFORMATION
NOTE: it is a bypass that can make calls or redirect to a malicious site depending the validation it is doing. example: https://machetevault.com/login/?nextPage=https://google.com [allowed] https://machetevault.com/login/?nextPage=https://deadbomb.com [not allowed] https://machetevault.com/login/?nextPage=https://deadbomb.com/?https://google.com [allowed] It is needed to test as some applications use a whitelist method to filter where it can be redirected or not. maybe the format allowed in the example it is not, however, you can change the order to try it. you can find similar applications with this code, <div class="text-center"> Have you seen this new website called <a href="/?redirect=http://www.google.com">Google</a>? </div> which is basically doing the following redirection, https://5tu13b6m.machetevault.com/?redirect=http://www.google.com you can test to add something else after the .com to confirm if exist some restrictions. what about if exist a SSO login ? /x// WAY following the flow is a way to understand the filters, maybe the auth url is required at begining, at the end, etc. checking the following example, the SSO use a subdomain used at the begining of the url. "auth", however, the bypass need to be attempted using the redirect parameter. example: https://auth.vault.machete.com/auth?client_id=1&redirect_url=https://vault.machete.com/&response_type=token another way is to bypass using the REGEX pattern and not specific using the redirect feature, it is similar to the previous examples, however, it modifies the query to add /x//URL and basically it is forcing the regex to look for // and call what is after that. example: https://auth.vault.machete.com/auth?client_id=1&redirect_url=https://vault.machete.com/x//evilsite.com/&response_type=token @ WAY sometimes you can use the symbol @ that it is used for usernames to force the application in some way to bypass the filtering. example: https://auth.vault.machete.com/auth?client_id=1&redirect_url=https://[email protected]/&response_type=token how to pivot from open redirect to XSS ? 1. first you need to confirm if the open redirect exist or not, you can see url similar to the previous or it can be a little different to make it harder. example: this url is encoded https://auth.b2.com/move?next=https%3A%2F%2Fsite.ctf%2Foauth%2Flogin%2F%3Fclient_id%3D1%26redirect_url%3Dhttps%3A%2F%2Fauth.b2.com this other part is now decoded, https://auth.b2.com/move?next=https://site.ctf/oauth/login/?client_id=1&redirect_url=https://auth.b2.com ** always you can inspect the code to confirm the redirect code simple test of previous url will be something similar to this, https://auth.vault.com/leaving?next=https://evilsite.com after inspecting if you see the evilsite is added, you can add HTML functionality to trigger some kind of XSS example: it can be onclick event, onmouseover event, etc. https://auth.vault.com/leaving?next=https://evilsite.com" onclick="alert('XSS')
©® - Since 2023