檢查:https://www.bugbountyhunter.com/vulnerability/?type=open_redirect
檢查:https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection
檢查:https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection
Lab: DOM-based open redirection
https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection
找到審查元素(注意DOM型不是找原始碼)中的DOM接收器
控制檯:debug
var returnUrl = /url=(https?:\/\/.+)/.exec(location);
console.log("URL Match:", returnUrl); // 檢視匹配結果
var returnUrl = urlMatch ? urlMatch[1] : "/";
console.log("Return URL:", returnUrl); // 檢視最終重定向的 URL
location.href = returnUrl; //所以就開放重定向了
主要接收器:
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()