Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dectetion in Open redirect gives false positive #1

Open
Sicks3c opened this issue Apr 10, 2020 · 5 comments
Open

Dectetion in Open redirect gives false positive #1

Sicks3c opened this issue Apr 10, 2020 · 5 comments

Comments

@Sicks3c
Copy link

Sicks3c commented Apr 10, 2020

Hello

First of all thanks for the tool

I was trying to check your condition on open redirect and it seems like it will give a a false positive results due to the validation
You are using

      - >-
        (StatusCode() >= 300 && StatusCode() < 400)

Which doesnt mean 100% redirected to the evil destination

➜  doorman.elisaviihde.fi cat open-redirect-fuzz-01-a6c01bf9310679b985b8d0343708c05648843f27
[open-redirect-fuzz-01] - http://doorman.elisaviihde.fi/google.com

GET http://doorman.elisaviihde.fi/google.com HTTP/1.1

--------------------------------------------------
302 Moved Temporarily HTTP/1.0
Location: https://doorman.elisaviihde.fi/google.com
Server: BigIP
Connection: close
Content-Length: 0
Total Length: 102
Response Time: 0.314296

Location should be google.com instead of https://doorman.elisaviihde.fi/google.com

I think the best way to match open redirect is with a regex that looks like this
< location: (https?:)?[/\\]{2,}example.com
Replace example.com with the {dest}
This should apply to Open-redirect-params.yaml as well
Regards

@j3ssie
Copy link
Member

j3ssie commented Apr 14, 2020

Thank you for the feedback.

I've just updated some fuzz signature from my config to resolve that issue
https://github.com/jaeles-project/jaeles-signatures/blob/master/fuzz/open-redirect/open-redirect-param-base.yaml
https://github.com/jaeles-project/jaeles-signatures/blob/master/fuzz/open-redirect/open-redirect-param.yaml

Let me know if you have any issue.

@Sicks3c
Copy link
Author

Sicks3c commented Apr 14, 2020

Thank you for the fast reply
But apperantly after the change it get stuck like that
stuck

@j3ssie
Copy link
Member

j3ssie commented Apr 15, 2020

Oops, forget to update the path one.
It should be like this one.
Screenshot from 2020-04-15 11-06-51

@Sicks3c
Copy link
Author

Sicks3c commented Apr 29, 2020

Hello @j3ssie

Hope you are doing good
Thank again for the tool , I'm wondering if you can make nuclei signatures compatible with jaeles signatures
Those signatures those not work with jaeles
https://github.com/projectdiscovery/nuclei-templates

@Sicks3c
Copy link
Author

Sicks3c commented Apr 29, 2020

Tried to make a one of my own failed miserably

name: 'Upload file'
desc: 'Check in HTML if upload is possible'
rules:
    - id: upload-file
      reason: uploading
      detections:
          - >-
            RegexSearch("response", "\u003cinput[^\u003e]+type=[\"']?file[\"']?")

j3ssie pushed a commit that referenced this issue Sep 7, 2020
update changes from project
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants