testing-for-open-redirect-vulnerabilities
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTesting for Open Redirect Vulnerabilities
开放重定向漏洞测试
When to Use
使用场景
- When testing login/logout flows that redirect users to specified URLs
- During assessment of OAuth authorization endpoints with redirect_uri parameters
- When auditing applications with URL parameters (next, url, redirect, return, goto, target)
- During phishing simulation to chain open redirects with credential harvesting
- When testing SSO implementations for redirect validation weaknesses
- 测试将用户重定向到指定URL的登录/登出流程时
- 评估带有redirect_uri参数的OAuth授权端点时
- 审计带有URL参数(next、url、redirect、return、goto、target)的应用时
- 钓鱼模拟中,将开放重定向与凭证收集结合使用时
- 测试SSO实现中的重定向验证缺陷时
Prerequisites
前置条件
- Burp Suite or OWASP ZAP for intercepting redirect requests
- Collection of open redirect bypass payloads
- External domain or Burp Collaborator for redirect confirmation
- Understanding of URL parsing and encoding schemes
- Browser with developer tools for observing redirect chains
- Knowledge of HTTP 301/302/303/307/308 redirect status codes
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
- 用于拦截重定向请求的Burp Suite或OWASP ZAP
- 开放重定向绕过 payload 集合
- 用于确认重定向的外部域名或Burp Collaborator
- 了解URL解析和编码机制
- 带有开发者工具、可观察重定向链的浏览器
- 了解HTTP 301/302/303/307/308重定向状态码
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对非自有或未获得书面测试许可的系统使用本技能属于违法行为,可能违反计算机欺诈相关法律。
Workflow
测试流程
Step 1 — Identify Redirect Parameters
步骤1 — 识别重定向参数
bash
undefinedbash
undefinedCommon redirect parameter names to test:
常见的待测试重定向参数名称:
?url= ?redirect= ?next= ?return= ?returnUrl= ?goto= ?target=
?url= ?redirect= ?next= ?return= ?returnUrl= ?goto= ?target=
?dest= ?destination= ?redir= ?redirect_uri= ?continue= ?view=
?dest= ?destination= ?redir= ?redirect_uri= ?continue= ?view=
Search for redirect parameters in the application
在应用中搜索重定向参数
Use Burp Suite to crawl and identify all parameters
使用Burp Suite爬取并识别所有参数
Test basic redirect
测试基础重定向
curl -v "http://target.com/login?next=https://evil.com"
curl -v "http://target.com/logout?redirect=https://evil.com"
curl -v "http://target.com/oauth/authorize?redirect_uri=https://evil.com"
undefinedcurl -v "http://target.com/login?next=https://evil.com"
curl -v "http://target.com/logout?redirect=https://evil.com"
curl -v "http://target.com/oauth/authorize?redirect_uri=https://evil.com"
undefinedStep 2 — Test Basic Open Redirect Payloads
步骤2 — 测试基础开放重定向Payload
bash
undefinedbash
undefinedDirect external URL
直接外部URL
Protocol-relative URL
协议相对URL
URL with @ symbol (userinfo abuse)
带有@符号的URL(用户信息滥用)
Backslash-based redirect
基于反斜杠的重定向
Null byte injection
空字节注入
undefinedundefinedStep 3 — Apply Validation Bypass Techniques
步骤3 — 应用验证绕过技术
bash
undefinedbash
undefinedSubdomain confusion bypass
子域名混淆绕过
URL encoding bypass
URL编码绕过
Double URL encoding
双重URL编码绕过
Mixed case protocol
大小写混合协议
CRLF injection in redirect
重定向中的CRLF注入
JavaScript protocol
JavaScript协议
Data URI
Data URI
curl -v "http://target.com/redirect?url=data:text/html,<script>alert(1)</script>"
undefinedcurl -v "http://target.com/redirect?url=data:text/html,<script>alert(1)</script>"
undefinedStep 4 — Test Path-Based Redirects
步骤4 — 测试基于路径的重定向
bash
undefinedbash
undefinedRelative path injection
相对路径注入
curl -v "http://target.com/redirect?url=/\evil.com"
curl -v "http://target.com/redirect?url=/.evil.com"
curl -v "http://target.com/redirect?url=/\evil.com"
curl -v "http://target.com/redirect?url=/.evil.com"
Path traversal with redirect
结合路径遍历的重定向
Fragment-based bypass
基于片段的绕过
Parameter pollution for redirect
重定向参数污染
undefinedundefinedStep 5 — Chain with Other Vulnerabilities
步骤5 — 与其他漏洞结合利用
bash
undefinedbash
undefinedChain with OAuth for token theft
与OAuth结合窃取令牌
Step 1: Find open redirect on target.com
步骤1:在target.com上找到开放重定向
Step 2: Use it as redirect_uri in OAuth flow
步骤2:在OAuth流程中将其用作redirect_uri
Chain with phishing
与钓鱼结合
Create convincing phishing page at evil.com
在evil.com创建逼真的钓鱼页面
Use open redirect: http://target.com/redirect?url=https://evil.com/login
Victim sees target.com in the initial URL
受害者在初始URL中看到target.com
Chain with XSS via javascript: protocol
通过javascript:协议与XSS结合
undefinedStep 6 — Automate Open Redirect Testing
步骤6 — 自动化开放重定向测试
bash
undefinedbash
undefinedUse OpenRedireX for automated testing
使用OpenRedireX进行自动化测试
python3 openredirex.py -l urls.txt -p payloads.txt --keyword FUZZ
python3 openredirex.py -l urls.txt -p payloads.txt --keyword FUZZ
Use gf tool to extract redirect parameters from URLs
使用gf工具从URL中提取重定向参数
cat urls.txt | gf redirect | sort -u > redirect_params.txt
cat urls.txt | gf redirect | sort -u > redirect_params.txt
Mass test with nuclei
使用nuclei进行批量测试
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/open-redirect.yaml
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/open-redirect.yaml
Test with ffuf
使用ffuf进行测试
ffuf -w open-redirect-payloads.txt -u "http://target.com/redirect?url=FUZZ" -mr "Location: https://evil"
undefinedffuf -w open-redirect-payloads.txt -u "http://target.com/redirect?url=FUZZ" -mr "Location: https://evil"
undefinedKey Concepts
核心概念
| Concept | Description |
|---|---|
| Unvalidated Redirect | Application redirects to user-supplied URL without checking destination |
| URL Parsing Inconsistency | Different libraries parse URLs differently, enabling bypass |
| Protocol-Relative URL | Using // prefix to redirect while inheriting current protocol |
| Userinfo Abuse | Using @ symbol to make URL appear to belong to trusted domain |
| Open Redirect Chain | Combining multiple open redirects or chaining with other vulnerabilities |
| DOM-Based Redirect | Client-side JavaScript performing redirect using attacker-controlled input |
| Meta Refresh Redirect | HTML meta tag performing redirect without server-side 302 |
| 概念 | 描述 |
|---|---|
| 未验证重定向 | 应用在未检查目标地址的情况下,将用户重定向到用户提供的URL |
| URL解析不一致 | 不同的库对URL的解析方式不同,从而允许绕过 |
| 协议相对URL | 使用//前缀进行重定向,同时继承当前协议 |
| 用户信息滥用 | 使用@符号使URL看起来属于可信域名 |
| 开放重定向链 | 结合多个开放重定向或与其他漏洞串联利用 |
| 基于DOM的重定向 | 客户端JavaScript使用攻击者控制的输入执行重定向 |
| Meta刷新重定向 | HTML meta标签在不使用服务器端302的情况下执行重定向 |
Tools & Systems
工具与系统
| Tool | Purpose |
|---|---|
| OpenRedireX | Automated open redirect vulnerability testing tool |
| Burp Suite | HTTP proxy for intercepting and modifying redirect parameters |
| gf (tomnomnom) | Pattern matcher to extract redirect parameters from URL lists |
| nuclei | Template-based scanner with open redirect detection templates |
| ffuf | Fuzzer for mass-testing redirect parameter payloads |
| OWASP ZAP | Automated scanner with open redirect detection |
| 工具 | 用途 |
|---|---|
| OpenRedireX | 自动化开放重定向漏洞测试工具 |
| Burp Suite | 用于拦截和修改重定向参数的HTTP代理 |
| gf (tomnomnom) | 从URL列表中提取重定向参数的模式匹配工具 |
| nuclei | 带有开放重定向检测模板的基于模板的扫描器 |
| ffuf | 用于批量测试重定向参数payload的模糊测试工具 |
| OWASP ZAP | 带有开放重定向检测功能的自动化扫描器 |
Common Scenarios
常见场景
- Phishing Amplification — Use open redirect on a trusted domain to lend credibility to phishing URLs targeting users
- OAuth Token Theft — Exploit open redirect as redirect_uri in OAuth flows to steal authorization codes and access tokens
- SSO Bypass — Redirect SSO authentication responses to attacker-controlled servers to capture session tokens
- XSS via Redirect — Chain open redirect with javascript: protocol to achieve cross-site scripting
- Referer Leakage — Use open redirect to leak sensitive tokens in Referer headers when redirecting to external sites
- 钓鱼增强 — 利用可信域名上的开放重定向,为针对用户的钓鱼URL增加可信度
- OAuth令牌窃取 — 在OAuth流程中利用开放重定向作为redirect_uri,窃取授权码和访问令牌
- SSO绕过 — 将SSO认证响应重定向到攻击者控制的服务器,以捕获会话令牌
- 通过重定向实现XSS — 将开放重定向与javascript:协议结合,实现跨站脚本攻击
- Referer泄露 — 利用开放重定向在重定向到外部站点时,通过Referer头泄露敏感令牌
Output Format
输出格式
undefinedundefinedOpen Redirect Assessment Report
开放重定向评估报告
- Target: http://target.com
- Vulnerable Parameters Found: 3
- Bypass Techniques Required: URL encoding, userinfo abuse
- 目标: http://target.com
- 发现的易受攻击参数: 3
- 所需绕过技术: URL编码、用户信息滥用
Findings
发现结果
| # | Endpoint | Parameter | Payload | Impact |
|---|---|---|---|---|
| 1 | /login | next | //evil.com | Phishing |
| 2 | /oauth/authorize | redirect_uri | https://target.com@evil.com | Token Theft |
| 3 | /logout | return | https://evil.com%00.target.com | Session Redirect |
| 序号 | 端点 | 参数 | Payload | 影响 |
|---|---|---|---|---|
| 1 | /login | next | //evil.com | 钓鱼 |
| 2 | /oauth/authorize | redirect_uri | https://target.com@evil.com | 令牌窃取 |
| 3 | /logout | return | https://evil.com%00.target.com | 会话重定向 |
Remediation
修复建议
- Implement allowlist of permitted redirect destinations
- Validate redirect URLs server-side using strict URL parsing
- Reject any redirect URL containing external domains
- Use indirect reference maps instead of direct URL parameters
undefined- 实施允许的重定向目标白名单
- 在服务器端使用严格的URL解析验证重定向URL
- 拒绝任何包含外部域名的重定向URL
- 使用间接引用映射而非直接URL参数
undefined