OPEN REDIRECTION
This vulnerability arise when an application takes user-controlled input and uses it to perform a redirection. They are often considered as low-impact vulnerabilities, However, that doesn’t mean that Open Redirect attacks are not a threat. One of the main uses for this vulnerability is to make phishing attacks more credible and effective.
Let’s see how to identify and exploit open redirects.
The first step to locating open redirection vulnerabilities is to identify every instance within the application where a redirection occurs.
An effective way to do this is to walk through the application using an intercepting proxy (such as burpsuite) and monitor the requests made for pages. And depending on the architecture of a vulnerable website, redirection could happen after certain action, such as login, and sometimes it could happen instantaneously upon loading of a page.
Doing a web search is one of the best tools to find Open Redirect on your own website and across a wider Internet. Google Search (dorks)allows for a great flexibility in writing search queries, including queries that specifically search through URLs of pages.
Finding entry points to test for open redirect?
[+] Burp Proxy history & Burp Sitemap (look at URLs with parameters)
[+] Google dorking. E.g: site:target.com inurl:redirectURL=http (what this does is, it looks for all possible URL links in the domain containing 'redirectURL=https' somewhere in the URL
link → openredirectParams , here you can find most common parameters that is used for redirection .
[+] Waybackurls
This is a passive URL fuzzing tool that fetch known URLs from the Wayback Machine
target → testphp.vulnweb.com
from this result we can search for any redirection URL
[+] Paramspider
It mines the parameters from web archives just like waybackurls , but with more features;
This tool by default find all URLs of domain containing parameters and converts its value to FUZZ (for further use) and save the output ,if not configured while executing, save output into a text file with the domain name itself (eg: output/testphp.vulnweb.com.txt)
[+] OpenRedireX :
OpenRedireX is an automated script developed in the Python language which tests the single URL and Multiple URLs or Open Redirection Vulnerability by inserting the payload of open redirection into the URL parameter and analyzing the response from the server. this supports customizing the payload list and also allows users to use their payload list.
lets reuse the output file from paramspider, that makes our job easier
by defaults this tool has a payloads.txt file containing payloads and while executing it replace the keyword FUZZ with the payloads .
From the result check any URL by pasting the link in browser and confirm that the page is redirecting.
