Scribd
Upload
273 views4 pages

Open Redirect Vulnerability

This document describes different levels of difficulty in exploiting an open redirect vulnerability. In low difficulty, any URL can be redirected to. In medium, only relative or same-domain URLs can be used. In high, the URL must contain "info.php". In impossible difficulty, the system uses internal IDs instead of URLs to prevent redirection outside the allowed domain.

Uploaded by

̇
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
273 views4 pages

Open Redirect Vulnerability

This document describes different levels of difficulty in exploiting an open redirect vulnerability. In low difficulty, any URL can be redirected to. In medium, only relative or same-domain URLs can be used. In high, the URL must contain "info.php". In impossible difficulty, the system uses internal IDs instead of URLs to prevent redirection outside the allowed domain.

Uploaded by

̇
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Open redirect vulnerability

DIFICULTAD: FACIL DVWA


The redirect page has no limitations, you can redirect to anywhere you want.
GET /DVWA/vulnerabilities/open_redirect/source/low.php?redirect=https://youtube.com?id=1 HTTP/1.1

Host: 127.0.0.1:85

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/

Cookie: security=low; PHPSESSID=6v329g2qc4kitl036ff16ac5qn

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

De este get para redireccionar la url de este dominio a otro solo


tendríamos que cambiar el parámetro “redirect=” a
“redirect=https://WebPreferida.com” la url quedaría asi:
http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/source/
medium.php?redirect=https://youtube.com?id=1
DIFICULTAD: MEDIANA DVWA
The code prevents you from using absolute URLs to take the user off the site, so you can either use
relative URLs to take them to other pages on the same site or a Protocol-relative URL.
GET /DVWA/vulnerabilities/open_redirect/source/low.php?redirect=info.php?id=1 HTTP/1.1

Host: 127.0.0.1:85

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/

Cookie: security=low; PHPSESSID=6v329g2qc4kitl036ff16ac5qn

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

En dificultad media detecta si cambiamos la url a una entera no


permitirá viajar al dominio externo, podría intentarse poner una
diferente tipo de url (incompleta?) para que el sistema no la
detecte y se pueda viajar a sitios externos
http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/source/
medium.php?redirect=//youtube.com?id=1
DIFICULTAD: ALTA
The redirect page tries to lock you to only redirect to the info.php page, but does this by checking
that the URL contains "info.php".

“get” es exactamente lo mismo asi que no lo pondré, pero en si


ahora el sistema a fuerza quiere que este en el redireccional de la
url el directorio “info.php” que originalmente quiere y para saltarse
esta seguridad pondremos la url de este estado:
http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/source/
high.php?redirect=info.php?id=1
a este estado donde evitamos la seguridad:
http://127.0.0.1:85/DVWA/vulnerabilities/open_redirect/source/
high.php?redirect=https://digi.ninja/?a=info.php

básicamente añadimos “info.php” indirectamente


DIFICULTAD IMPOSIBLE:
Rather than accepting a page or URL as the redirect target, the system uses ID values to tell the
redirect page where to redirect to. This ties the system down to only redirect to pages it knows
about and so there is no way for an attacker to modify things to go to a page of their choosing.

Basicamente el sitio web tiene una lista de “ids” que se enlazan con
directorios o otros url. Asi que ya es imposible cambiar la url a otra
ya que tiene una lista impuesta que solo conoce los ids
implementados en la lista

You might also like