检查:https://www.bugbountyhunter.com/vulnerability/?type=open_redirect
检查:https://portswigger.net/web-security/ssrf#bypassing-ssrf-filters-via-open-redirection
检查:https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection
Lab: DOM-based open redirection
https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection
找到审查元素(注意DOM型不是找源代码)中的DOM接收器
控制台:debug
var returnUrl = /url=(https?:\/\/.+)/.exec(location);
console.log("URL Match:", returnUrl); // 查看匹配结果
var returnUrl = urlMatch ? urlMatch[1] : "/";
console.log("Return URL:", returnUrl); // 查看最终重定向的 URL
location.href = returnUrl; //所以就开放重定向了
主要接收器:
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
标签:returnUrl,重定向,dom,open,redirection,bp,location,https,开放
From: https://www.cnblogs.com/sec875/p/18453226