Automation

How I found a simple Open Redirect using my automation workflw

You can find my automation workflow on https://github.com/utkarsh24122/vulnhunt

After subdomain enumeration & DNS resolution, I run gauplus, waybackurls, gospider & linkfinder to fetch URLs Then I run the list of URLs through gf pattern, Openredirex & nuclei.

# Extracting URLs
cat sites.txt | gauplus >> temp.txt
gospider -S sites.txt --js -t 50 -d 2 -w -r --sitemap --robots >> tempspider.txt

# Filtering
sed -i '/^.\{2048\}./d' tempspider.txt
[ -s "tempspider.txt" ] && cat tempspider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain" | sort -u >> temp.txt

cat temp.txt | sort -u >> allurls.txt ; rm temp.txt tempspider.txt

# GF pattern 
gf redirect allurls.txt | sort -u >> ./gf/redirect.txt
gf ssrf allurls.txt >> ./gf/redirect.txt

# openredirex
cat ./gf/redirect.txt | qsreplace FUZZ | sort -u >> tempred.txt
		python3 openredirex.py -l tempred.txt --keyword FUZZ -p payloads.txt | grep "^http" >> ./vulns/redirect.txt
		sed -r -i "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2})?)?[mGK]//g" ./vulns/redirect.txt
		rm tempred.txt
		
# Nuclei
cat sites.txt | nuclei -silent -t /templates/ -severity low -o nuclei_output/low.txt

Potential Open Redirects in ./gf/redirect.txt can be used for manual testing as well since these have high chances of being vulnerable. For this purpose, whitelisting can be bypassed using these payloads : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect#filter-bypass It has worked really well for me on many occasions.

*target.com was in scope Using my automation I was able to find Open Redirect : 1.marketer.target.com//exapmle.com/ 2. developer.target2.com//example.com/%2F..