Before opening up with day 1, I’d like to give a big shout out to Peter Yaworski for his amazing contribution to the infosec community with his book Real-World Bug Hunting. The following days will describe some of vulnerabilites and attack scenearios explained in this book.
From Sam (CoffeeJunkie), Reading the book Real-World Bug Hunting from Peter Yaworski, in the first chapters of the book it explains how open redirect can be combined with other attacks, and anable attackers to distribute malwarer from the malicious site or to steal OAuth tokens. Open redirect attacks has certain importance and value depending on the place where the vulnerability is found.
There are certain parameters that can lead to open redirects and can be found in the URLs. There are many names for these parameters, but some of them can be found as
next, redirect, url, r, u, domain_name, return_to, and more. In order to find these parameters, it is always good to look closely to the URLs.
Some open redirect attacks can be found in the html code of the website with
<meta> tags. The
window.location in the DOM.
window.location = https://www.google.com/ window.location.href = https://www.google.com window.location.replace(https://www.google.com)
Ways to bypass open redirect protection
- If the website doesn’t allow to insert a different domain in the URL, this can be one of the solutions.
- If the website only allows site with the same source of domain, you can try the following.
- Open Redirect in login page in Spotify
- Interstitial Redirect Hacker One
Some Shodan Tricks
From Rajesh Ranjan who’s curious about the usage of shodan. He was hovering different ways to obtain company assets using ASN numbers on Shodan.
Finding company assets using ASN on shodan
Go to Hurrican Electric BGP Toolkit for finding the ASN number.
Finding kubernetes information exposudre on Shodan
Shodan has a great filter that allows to find different products that companies and organizations might be using in their infrastructure. To find kubernetes information exposure, do the following.
In shodan type the following filter:
If the search has been successful for the company were you looking for, you can try in the url.
This will expose private information.
Open redirects and different filters in shodan can bring a exposure to different kind of vulnerabilites. Remind yourself different ways to bypass Open Redirect, and be creative with Shodan filters in order to get the maximum out the site.
This has been brought from noobs, for noobs, for the infosec community.