- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Hunting for Open Redirects
Let’s start by looking for a simple open redirect. You can find open redirects by using a few recon tricks to discover vulnerable endpoints and confirm the open redirect manually.
让我们从寻找简单的开放式重定向开始。您可以使用一些侦查技巧来发现易受攻击的端点,并手动确认开放式重定向。
Step 1: Look for Redirect Parameters
Start by searching for the parameters used for redirects. These often show up as URL parameters like the ones in bold here:
从寻找重定向所使用的参数开始。这些常常显示为像这里加粗的 URL 参数:
https://example.com/login? redirect=https://example.com/dashboard
https://example.com/login? redir=https://example.com/dashboard
https://example.com/login? next=https://example.com/dashboard
https://example.com/login? next=/dashboardOpen your proxy while you browse the website. Then, in your HTTP history, look for any parameter that contains absolute or relative URLs. An absolute URL is complete and contains all the components necessary to locate the resource it points to, like https://example.com/login . Absolute URLs contain at least the URL scheme, hostname, and path of a resource. A relative URL must be concatenated with another URL by the server in order to be used. These typically contain only the path component of a URL, like /login . Some redirect URLs will even omit the first slash ( / ) character of the relative URL, as in https://example.com/login?next=dashboard .
在浏览网站时打开代理,然后在 HTTP 历史记录中查找包含绝对或相对 URL 的任何参数。绝对 URL 是完整的,并包含定位其指向的资源所需的所有组件,例如 https://example.com/login。绝对 URL 至少包含资源的 URL 方案,主机名和路径。相对 URL 必须由服务器与另一个 URL 连接在一起才能使用。这些通常仅包含 URL 的路径组件,如/login。一些重定向 URL 甚至会省略相对 URL 的第一个斜杆(/)字符,例如 https://example.com/login?next=dashboard。
Note that not all redirect parameters have straightforward names like redirect or redir . For example, I’ve seen redirect parameters named RelayState , next , u , n , and forward . You should record all parameters that seem to be used for redirect, regardless of their parameter names.
请注意,并非所有的重定向参数都像 redirect 或 redir 那样名称简单直接。例如,我曾看到过以 RelayState、next、u、n 和 forward 命名的重定向参数。您应该记录所有似乎被用于重定向的参数,不管它们的参数名称如何。
In addition, take note of the pages that don’t contain redirect parameters in their URLs but still automatically redirect their users. These pages are candidates for referer-based open redirects. To find these pages, you can keep an eye out for 3 XX response codes like 301 and 302. These response codes indicate a redirect.
此外,注意那些 URL 中不包含重定向参数但仍自动重定向用户的页面。这些页面有可能存在基于引用的开放性重定向漏洞。要查找这些页面,您可以留意 301 和 302 等 3XX 响应代码,这些响应代码表示重定向。
Step 2: Use Google Dorks to Find Additional Redirect Parameters
Google dork techniques are an efficient way to find redirect parameters. To look for redirect parameters on a target site by using Google dorks, start by setting the site search term to your target site:
Google dork 技术是一种有效的查找重定向参数的方法。使用 Google dorks 在目标网站上查找重定向参数,首先要将站点搜索术语设置为目标站点。
site:example.comThen look for pages that contain URLs in their URL parameters, making use of %3D , the URL-encoded version of the equal sign (=). By adding %3D in your search term, you can search for terms like =http and =https , which are indicators of URLs in a parameter. The following searches for URL parameters that contain absolute URLs:
然后搜索包含其 URL 参数中的 URL 的页面,利用%3D,即等号(=)的 URL 编码版本。通过在搜索词中添加%3D,您可以搜索类似于=http 和=https 的术语,这些术语是参数中的 URL 指示器。以下搜索包含绝对 URL 的 URL 参数:
inurl:%3Dhttp site:example.comThis search term might find the following pages:
这个搜索词可能会找到以下页面:
https://example.com/login?next=https://example.com/dashboard
https://example.com/login?u=http://example.com/settingsAlso try using %2F , the URL-encoded version of the slash (/). The following search term searches URLs that contain =/ , and therefore returns URL parameters that contain relative URLs:
也可以尝试使用%2F,即斜杠(/)的 URL 编码版本。以下搜索词搜索包含=/ 的 URL,并因此返回包含相对 URL 的 URL 参数:
inurl:%3D%2F site:example.comThis search term will find URLs such as this one:
这个搜索词将会找到像这样的 URL 地址:
https://example.com/login?n=/dashboardAlternatively, you can search for the names of common URL redirect parameters. Here are a few search terms that will likely reveal parameters used for a redirect:
您也可以搜索常见的 URL 重定向参数名称。以下是一些可能会显示出用于重定向的参数的搜索词:
inurl:redir site:example.com
inurl:redirect site:example.com
inurl:redirecturi site:example.com
inurl:redirect_uri site:example.com
inurl:redirecturl site:example.com
inurl:redirect_uri site:example.com
inurl:return site:example.com
inurl:returnurl site:example.com
inurl:relaystate site:example.com
inurl:forward site:example.com
inurl:forwardurl site:example.com
inurl:forward_url site:example.com
inurl:url site:example.com
inurl:uri site:example.com
inurl:dest site:example.com
inurl:destination site:example.com
inurl:next site:example.comThese search terms will find URLs such as the following:
这些搜索词将找到以下的网址:
https://example.com/logout?dest=/
https://example.com/login?RelayState=https://example.com/home
https://example.com/logout?forward=home
https://example.com/login?return=home/settingsNote the new parameters you’ve discovered, along with the ones found in step 1.
请注意新发现的参数,以及步骤 1 中发现的参数。
Step 3: Test for Parameter-Based Open Redirects
Next, pay attention to the functionality of each redirect parameter you’ve found and test each one for an open redirect. Insert a random hostname, or a hostname you own, into the redirect parameters; then see if the site automatically redirects to the site you specified:
请注意每个重定向参数的功能,并针对每个参数测试是否存在开放式重定向漏洞。将随机主机名或您拥有的主机名插入重定向参数,然后查看网站是否自动重定向到您指定的网站:
https://example.com/login?n=http://google.com
https://example.com/login?n=http://attacker.comSome sites will redirect to the destination site immediately after you visit the URL, without any user interaction. But for a lot of pages, the redirect won’t happen until after a user action, like registration, login, or logout. In those cases, be sure to carry out the required user interactions before checking for the redirect.
有些网站在您访问 URL 之后会立即重定向到目标站点,无需用户交互。但是对于很多页面来说,在用户注册、登录或注销等用户操作之后才会进行重定向。在这些情况下,请务必在检查重定向之前完成必要的用户交互。
Step 4: Test for Referer-Based Open Redirects
Finally, test for referer-based open redirects on any pages you found in step 1 that redirected users despite not containing a redirect URL parameter. To test for these, set up a page on a domain you own and host this HTML page:
最后,在步骤 1 中发现的任何页面上进行基于引用者的开放重定向测试,尽管不包含重定向 URL 参数,仍会重定向用户。为了测试这些内容,请在您拥有的域上设置一个页面,并托管此 HTML 页面:
<html>
<a href="https://example.com/login">Click on this link!</a>
</html>Replace the linked URL with the target page. Then reload and visit your HTML page. Click the link and see if you get redirected to your site automatically or after the required user interactions.
请将链接的网址替换为目标页面。然后重新加载并访问您的 HTML 页面。点击链接,看看您是否会自动或在需要的用户交互后重定向到您的网站。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论