Ethical Hacking
  • Introduction to Information Security
    • What is Hacking?
    • Type of Hacking
    • Exercise
    • Uses of Proxy Servers
    • Summary Proxy & VPN
    • Summary
  • Gathering Information About Websites
    • Gathering Information
    • Gathering Targeted Information
  • Google Droks
  • Introduction to Web Architecture and Understanding Common Security Misconceptions
    • Web Servers
    • Web Server Architecture
    • Web Server Architecture Combinations
  • VA & PT
    • OWASP
    • SQL Injection
    • Advanced SQL Injections
    • Burp Suit
      • Client Side Validation Burp Suite Bypass
      • Client Side Validation Burp Suite Bypass
      • GET Based IDOR in URL
      • Post Based IDOR Variant
      • GET Based IDOR in URL
      • Post Based IDOR in URL
      • Download based
  • Arbitrary File Upload Vulnerabilities
    • Server Side Attack
    • Server Side Attack
    • Client Side Attack
  • Understanding Response Headers
    • Event Listeners
  • Fundamentals of Cross Site Scripting (XSS)
    • Temporary XSS
  • Understanding Forced Browsing and Session-Cookie Flaws
    • Forced Browsing
    • Cross Site Request Forgery
    • Open Redirection
  • Dictionary Based Brute Force Attacks
    • Dictionary Based Bruteforcing
    • Logical Bruteforcing
    • PII Leakage Variant
  • Identifying Security is configurations and Exploiting Outdated Web Applications
    • Information Disclosure via Descriptive Messages
    • Default Debug Pages
    • How to guess password for a standard login page
    • Default/Weak Password in Custom CMS
    • Fingerprinting Components with Known Vulnerabilities
    • Finding Exploits for Components with Known Vulnerabilities
    • Default/Weak Password in Public Software
    • Vulnerable Components Installed
    • Vulnerable Components Installed 2
    • Vulnerable Components Installed 3
  • Scanning for Bugs in WordPress and Drupal
    • What is CMS?
    • Variant 1
    • Vulnerable CMS
    • How to Scan Drupal CMS for Known Vulnerabilities?
    • Joomla CMS
  • Automating VAPT and Secure Code Development
    • information gathering
    • Nmap Scans
    • Automating VAPT:
  • POC
    • Recommendations for Documenting a Vulnerability
    • PoC
    • Types of Reports
    • Recommendations for OWASP Top 10 Vulnerabilities
    • Components of a VAPT Report
    • Vulnerability Information (for each vulnerability)
    • Bad Practices to Avoid While Writing a Report
Powered by GitBook
On this page
  1. Understanding Forced Browsing and Session-Cookie Flaws

Open Redirection

PreviousCross Site Request ForgeryNextDictionary Based Brute Force Attacks

Last updated 1 year ago

Step 1: Go to the hacking challenge (The URL will be different for each user). http://13.126.231.126/Open-Redirection/Variant-2/#

Step 2: Open Burp Suite and turn the intercept on.

Step 3: Now click on the ‘track shipment’ button in the browser and intercept the request.

Step 4: Now go to Burp Suite and it will show you the intercepted request.

Step 5: Send this request to the repeater (ctrl+r) and turn off the intercept. Then move to the ‘repeater’ tab. You will see this parameter. /Open-Redirection/Variant-2/redirect.php?dest=dhl.com/track/125625659

Step 6: Remove the dhl.com/track/125625659 part from the parameter and write google.com or any.com

Step 7: Then click on Go.

Step 8: Now right click under the ‘response’ section and select ‘show response in browser’ option from the list.

Step 9: Now copy and paste the response URL in the browser configured with Burp Suite. Here you will be redirected to Google.com or any other web page that you have used.

Open Redirection

Step 1: Go to the hacking challenge (The URL will be different for each user). http://13.126.231.126/Open-Redirection/Variant-3/

Step 2: Now in the browser, click on the login button (make sure Burp Suite is connected to the browser and intercept is off).

Step 3: Click on the profile icon given on the top right hand corner, and click on logout.

Step 4: Now open Burp Suite and see what exactly happened when you clicked logout. You see a GET request is made to logout.php, click on it and you will see the HTTP request like this: GET /Open-Redirection/Variant-3/logout.php?to=http://52.66.135.171/Open-Redirection/Variant-3 Here it seems that whatever we enter after to=[HERE], the website redirects to that specific URL. Let’s check that.

Step 5: Now send this request to the repeater(ctrl+r).

Step 6: Now in the ‘Repeater’ section, change the request as shown below: logout.php?to=http://13.126.231.126/Open-Redirection/Variant-3 remove everything after login.php?to= and add any host like this - logout.php?to=https://google.com/ You see that the response is not a redirection (302), instead it is 200 and it has an error saying: This URL doesn’t belong to 52.66.135.171 as it is not written anywhere in it. Quit fooling around! (IP address will be different for each of you). This means that the website is checking if the to= actually contains a URL of this same website or not.

Step 7: We can easily bypass this by using the following payload: logout.php?to=https://google.com/?http://52.66.135.171/Open-Redirection/Variant-3/ (Replace IP with the IP you see in the error) When you put this in the repeater, you will see that the response is actually 302 (redirection) instead of 200 which means that you have bypassed the filter.

Step 8: In the request tab in the repeater, right click and click on ‘copy URL’. Now paste the URL in the browser. It should be something like this: http://52.66.49.251/Open-Redirection/Variant-3/logout.php?to=https://google.com/?http://52.66.49.251/Open-Redirection/Variant-3/ Opening this should redirect to Google hence completing the challenge.