bp 開放重定向

sec875發表於2024-10-08

檢查:https://www.bugbountyhunter.com/vulnerability/?type=open_redirect
檢查:https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection
檢查:https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection

Lab: DOM-based open redirection
https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection

找到審查元素(注意DOM型不是找原始碼)中的DOM接收器
image

控制檯:debug

var returnUrl = /url=(https?:\/\/.+)/.exec(location);  
console.log("URL Match:", returnUrl);  // 檢視匹配結果  
var returnUrl = urlMatch ? urlMatch[1] : "/";  
console.log("Return URL:", returnUrl);  // 檢視最終重定向的 URL  
location.href = returnUrl;   //所以就開放重定向了

image

主要接收器:

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()