Documentation
¶
Overview ¶
Package openredirect implements Open Redirect vulnerability detection.
Source reference: dalfox-openredirect (MIT) + PayloadsAllTheThings/Open-Redirect (MIT) + PortSwigger Web Security Academy open-redirect research. Detection logic reimplemented from scratch.
Open Redirect occurs when a web application accepts user-controlled input that specifies a URL to redirect to. Attackers abuse this for phishing, token theft, OAuth token leakage, and SSRF escalation.
Detection strategy:
- Inject redirect payloads into: query parameter values containing redirect-like keywords (redirect, return, url, next, to, goto, dest, destination, forward, r, u, location, target, link, ref, ret, redir, ru, continue, returnto, returnurl, redirect_url, redirect_uri, callback, success_url, cancel_url, logout_url, error_url)
- Detect via: Location header pointing to attacker domain, body containing attacker domain in href/src/window.location
- Bypass variants: // attacker.com, https://attacker.com, https:attacker.com, \attacker.com, //attacker.com%2F@target.com, attacker.com, ///attacker.com, /%09//attacker.com, data: scheme, https://attacker.com?q=target.com (trusted domain as param)
Architecture:
- Probe struct: ID, Inject (payload with {ATTACKER} placeholder), Detect func
- extractRedirectParams: detect redirect-like param names
- errgroup.SetLimit(Parallelism) fan-out
- io.LimitReader on all response reads
- log/slog observability
- sync.Mutex protecting findings slice
- NewWithClient(*http.Client) + NewWithProbes([]Probe) for testability
Index ¶
Constants ¶
const ( DefaultTimeout = 10 * time.Second DefaultParallelism = 10 // DefaultAttacker is the attacker domain used in probes. DefaultAttacker = "blackhorn-redir.attacker.net" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Module ¶
type Module struct {
// contains filtered or unexported fields
}
Module implements Open Redirect detection.
func NewWithClient ¶
NewWithClient returns a Module using the supplied HTTP client.
func NewWithProbes ¶
NewWithProbes returns a Module with custom probes (testability).
func NewWithProbesAndClient ¶
NewWithProbesAndClient returns a Module with custom probes and HTTP client.
type Probe ¶
type Probe struct {
// ID is a unique slug.
ID string
// Inject is the payload value. {ATTACKER} is replaced with the attacker domain.
Inject string
// Detect tests the response for successful redirect.
Detect func(resp *http.Response, body, attacker string) bool
// Severity is the finding severity.
Severity module.Severity
// Tags are metadata tags.
Tags []string
}
Probe defines a redirect injection test.