Template
id: open-redirect
info:
name: Open Redirect Detection
author: princechaddha,AmirHossein Raeisi,asad
severity: medium
metadata:
max-request: 1
tags: redirect,dast
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
redirect:
- "oast.me"
fuzzing:
- part: query
mode: single
keys:
- AuthState
- URL
- _url
- red
- redirect_url_path
- landingPage
- callback
- checkout
- checkout_url
- content
- continue
- continueTo
- counturl
- data
- dest
- dest_url
- destination
- dir
- document
- domain
- done
- download
- feed
- file
- file_name
- file_url
- folder
- folder_url
- forward
- from_url
- go
- goto
- host
- html
- http
- https
- image
- image_src
- image_url
- imageurl
- img
- img_url
- include
- langTo
- load_file
- load_url
- login_to
- login_url
- logout
- media
- navigation
- next
- next_page
- open
- out
- page
- page_url
- pageurl
- path
- picture
- port
- proxy
- r
- r2
- redir
- redirect
- redirectUri
- RedirectURL
- redirectUrl
- redirect_to
- redirect_uri
- redirect_url
- reference
- referrer
- req
- request
- ret
- retUrl
- return
- returnTo
- return_path
- return_to
- return_url
- rt
- rurl
- show
- site
- source
- src
- target
- to
- u
- uri
- url
- val
- validate
- view
- window
- back
- cgi
- follow
- home
- jump
- link
- location
- menu
- move
- nav
- orig_url
- out_url
- query
- auth
- callback_url
- confirm_url
- destination_url
- domain_url
- entry
- exit
- forward_url
- go_to
- goto_url
- home_url
- image_link
- load
- logout_url
- nav_to
- origin
- page_link
- redirect_link
- ref
- referrer_url
- return_link
- return_to_url
- source_url
- target_url
- to_url
- validate_url
- DirectTo
- relay
- page
- url
- ret
- r2
- img
- u
- return
- r
- URL
- next
- redirect
- redirectBack
- referer
- redir
- l
- aspxerrorpath
- image_path
- ActionCodeURL
- return_url
- link
- q
- location
- ReturnUrl
- uri
- referrer
- returnUrl
- forward
- file
- rb
- end_display
- urlact
- from
- goto
- path
- redirect_url
- old
- pathlocation
- successTarget
- returnURL
- urlsito
- newurl
- Url
- back
- retour
- odkazujuca_linka
- r_link
- cur_url
- H_name
- ref
- topic
- resource
- returnTo
- home
- node
- sUrl
- href
- linkurl
- returnto
- redirecturl
- SL
- st
- errorUrl
- media
- destination
- targeturl
- return_to
- cancel_url
- doc
- GO
- ReturnTo
- anything
- FileName
- logoutRedirectURL
- list
- startUrl
- service
- redirect_to
- end_url
- _next
- noSuchEntryRedirect
- context
- returnurl
- ref_url
fuzz:
- "https://{{redirect}}"
- part: query
mode: single
values:
- "https?://" # Replace HTTP URLs with alternatives
fuzz:
- "https://{{redirect}}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$'
- type: status
status:
- 301
- 302
- 307
Last updated