Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wfinn/redirex

tool that generates bypasses for open redirects
https://github.com/wfinn/redirex

bugbounty bypass pentesting

Last synced: 21 days ago
JSON representation

tool that generates bypasses for open redirects

Host: GitHub
URL: https://github.com/wfinn/redirex
Owner: wfinn
Created: 2022-02-25T09:39:15.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2022-04-18T18:32:05.000Z (over 2 years ago)
Last Synced: 2024-08-05T17:29:44.848Z (4 months ago)
Topics: bugbounty, bypass, pentesting
Language: Go
Homepage:
Size: 24.4 KB
Stars: 46
Watchers: 2
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - wfinn/redirex - tool that generates bypasses for open redirects (Go)

README

        # redirex

This tool generates bypasses for open redirects.  

Many of the bypasses apply for software other than browsers, but I recommend thorough fuzzing there.

1) find a redirect on your target

2) generate list of payloads for the domain

3) use Intruder, ffuf or headless browsers to test payloads

4) do manual testing for app specific payloads if the redirect seems unusual

```sh

go install github.com/wfinn/redirex@latest

redirex -t target.tld -a attacker.tld

redirex -h # to see all options

```

## Bypasses

- relative urls e.g. /%09/attacker.tld

- when all subdomains are allowed e.g. https://attacker.tld#.target.tld

- chars that don't really end the host part e.g. https://target.tld&.attacker.tld

- IP based bypasses e.g. //2130706433 (use -ip to change)

- unescaped dots in regexes e.g. https://wwwxtarget.tld

- unicode normalization after checking host e.g. attacker.com%EF%BC%8F.target.com -> attacker.com/.target.com

- ...

Many bypasses require that you have catch all DNS for your domain.  

Some bypasses only work in Safari.

This tool does not create all possible permutations, but aims to generate a good amount.

## Finding Redirects

You can use these parameters at login, logout & register.

```

?Redirect=/Redirect&RedirectUrl=/RedirectUrl&ReturnUrl=/ReturnUrl&Url=/Url&action=/action&action_url=/action_url&backurl=/backurl&burl=/burl&callback_url=/callback_url&checkout_url=/checkout_url&clickurl=/clickurl&continue=/continue&data=/data&dest=/dest&destination=/destination&desturl=/desturl&ext=/ext&forward=/forward&forward_url=/forward_url&go=/go&goto=/goto&image_url=/image_url&jump=/jump&jump_url=/jump_url&link=/link&linkAddress=/linkAddress&location=/location&login=/login&logout=/logout&next=/next&origin=/origin&originUrl=/originUrl&page=/page&pic=/pic&q=/q&qurl=/qurl&recurl=/recurl&redir=/redir&redirect=/redirect&redirect_uri=/redirect_uri&redirect_url=/redirect_url&request=/request&return=/return&returnTo=/returnTo&return_path=/return_path&return_to=/return_to&rit_url=/rit_url&rurl=/rurl&service=/service&sp_url=/sp_url&src=/src&success=/success&target=/target&u=/u&u1=/u1&uri=/uri&url=/url&view=/view

```

To test for for redirects that require full urls use `echo "params" | sed 's#=/#=https://TARGETDOMAIN/#g'`.

You could also use my (currently experimental) tool [redirs](https://github.com/wfinn/stuff/tree/master/redirs) to do something like:

```sh

$ waybackurls target.tld | uro > urls.txt

$ redirs < urls.txt

from:  https://target.tld/logout.php?return=home

to:    https://target.tld/home.php

...

```

## Issues

- The order of the generated list is not ideal, manually tweaking it is recommended if you have many endpoints on the same target to get a hit faster.

---

Thanks to:

- @dbzer0 for https://github.com/dbzer0/ipfmt MIT License

- @jpillora for https://github.com/jpillora/go-tld MIT License

- @tomnomnom for https://github.com/tomnomnom/hacks/blob/master/unisub No License