openredirect

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package openredirect implements Open Redirect vulnerability detection.

Source reference: dalfox-openredirect (MIT) + PayloadsAllTheThings/Open-Redirect (MIT) + PortSwigger Web Security Academy open-redirect research. Detection logic reimplemented from scratch.

Open Redirect occurs when a web application accepts user-controlled input that specifies a URL to redirect to. Attackers abuse this for phishing, token theft, OAuth token leakage, and SSRF escalation.

Detection strategy:

  • Inject redirect payloads into: query parameter values containing redirect-like keywords (redirect, return, url, next, to, goto, dest, destination, forward, r, u, location, target, link, ref, ret, redir, ru, continue, returnto, returnurl, redirect_url, redirect_uri, callback, success_url, cancel_url, logout_url, error_url)
  • Detect via: Location header pointing to attacker domain, body containing attacker domain in href/src/window.location
  • Bypass variants: // attacker.com, https://attacker.com, https:attacker.com, \attacker.com, //attacker.com%2F@target.com, attacker.com, ///attacker.com, /%09//attacker.com, data: scheme, https://attacker.com?q=target.com (trusted domain as param)

Architecture:

  • Probe struct: ID, Inject (payload with {ATTACKER} placeholder), Detect func
  • extractRedirectParams: detect redirect-like param names
  • errgroup.SetLimit(Parallelism) fan-out
  • io.LimitReader on all response reads
  • log/slog observability
  • sync.Mutex protecting findings slice
  • NewWithClient(*http.Client) + NewWithProbes([]Probe) for testability

Index

Constants

View Source
const (
	DefaultTimeout     = 10 * time.Second
	DefaultParallelism = 10

	// DefaultAttacker is the attacker domain used in probes.
	DefaultAttacker = "blackhorn-redir.attacker.net"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Module

type Module struct {
	// contains filtered or unexported fields
}

Module implements Open Redirect detection.

func New

func New() *Module

New returns a Module with all built-in open redirect probes.

func NewWithClient

func NewWithClient(c *http.Client) *Module

NewWithClient returns a Module using the supplied HTTP client.

func NewWithProbes

func NewWithProbes(probes []Probe) *Module

NewWithProbes returns a Module with custom probes (testability).

func NewWithProbesAndClient

func NewWithProbesAndClient(probes []Probe, c *http.Client) *Module

NewWithProbesAndClient returns a Module with custom probes and HTTP client.

func (*Module) Name

func (m *Module) Name() string

Name returns the module name.

func (*Module) Run

func (m *Module) Run(ctx context.Context, input module.Input) ([]module.Finding, error)

Run tests all target URLs for open redirect vulnerabilities.

Options:

  • "parallelism" — max concurrent probes (default: 10)
  • "attacker" — attacker domain to inject (default: blackhorn-redir.attacker.net)

type Probe

type Probe struct {
	// ID is a unique slug.
	ID string
	// Inject is the payload value. {ATTACKER} is replaced with the attacker domain.
	Inject string
	// Detect tests the response for successful redirect.
	Detect func(resp *http.Response, body, attacker string) bool
	// Severity is the finding severity.
	Severity module.Severity
	// Tags are metadata tags.
	Tags []string
}

Probe defines a redirect injection test.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL