open-redirect.yaml

# info to search signature
id: Open-Redirect
type: fuzz
info:
  name: Open Redirect
  risk: Low
  Author: Suraj Bhosale
# jaeles scan -p 'dest=example.com' or -p 'dest=http://example.com' or ...
params:
  - dest: '{{.oob}}'
variables:
  - prefix: |
      http://
      https://
      https:
      \/\/
      /\/
      /
      //
      ///
      ////
      ///;@
payloads:
  - "{{.Domain}}.{{.dest}}/{{.URL}}"
requests:
  - method: GET
  - generators:
      - Path("[[.origin]]{{.prefix}}{{.payload}}", "*")
      - Path("{{.prefix}}{{.payload}}", "*")
      - Path("{{.payload}}", "*")
      - Query("{{.prefix}}{{.payload}}")
      - Query("{{.payload}}")
      - Body("{{.payload}}")
    detections:
      - >-
        RegexSearch("resHeaders", "(?m)^(L|l)ocation: (((http|https):)?({{.prefix}})?)?{{.dest}}")
      - >-
        RegexSearch("ResBody", "(?m)<meta http-equiv(.*?)url(\s)?=(\'|\")?(.*?){{.dest}}(.*?)>")