Class: Ronin::Vulns::OpenRedirect

Inherits:

WebVuln

• Object
• Vuln
• WebVuln
• Ronin::Vulns::OpenRedirect

Defined in:

lib/ronin/vulns/open_redirect.rb

Overview

Represents an Open Redirect vulnerability.

Features

• Checks 301, 302, 303, 307, and 308 HTTP redirects.
• Checks meta refresh redirects.
• Includes random alpha-numeric data in the test values.

Instance Attribute Summary

• #test_url ⇒ String readonly

  The desired redirect URL to use in the test.

Attributes inherited from WebVuln

#cookie, #cookie_param, #form_data, #form_param, #header_name, #headers, #http, #password, #query_param, #query_params, #referer, #request_method, #url, #user, #user_agent

Class Method Summary

• .random_test_url ⇒ String private

  Generates a random redirect URL to use in tests.

• .vuln_type ⇒ Symbol abstract private

  Returns the type or kind of vulnerability.

Instance Method Summary

• #initialize(url, test_url: self.class.random_test_url, **kwargs) ⇒ OpenRedirect constructor

  Initializes the Open Redirect vulnerability.

• #vulnerable? ⇒ Boolean

  Tests whether the URL has a vulnerable Open Redirect.

Methods inherited from WebVuln

#encode_payload, #exploit, #exploit_cookie, #exploit_form_data, #exploit_headers, #exploit_query_params, #original_value, #random_value, #request, scan, scan_cookie_params, scan_form_params, scan_headers, scan_query_params, test, test_param, #to_curl, #to_http, #to_s

Constructor Details

#initialize(url, test_url: self.class.random_test_url, **kwargs) ⇒ OpenRedirect

Initializes the Open Redirect vulnerability.

Parameters:

• url (String, URI::HTTP) —

  The URL to exploit.

• test_url (String) (defaults to: self.class.random_test_url) —

  The desired redirect URL to test the URL with.

# File 'lib/ronin/vulns/open_redirect.rb', line 53

def initialize(url, test_url: self.class.random_test_url, **kwargs)
  super(url,**kwargs)

  @test_url = test_url
end

Instance Attribute Details

#test_url ⇒ String (readonly)

The desired redirect URL to use in the test.

Returns:

• (String)

# File 'lib/ronin/vulns/open_redirect.rb', line 42

def test_url
  @test_url
end

Class Method Details

.random_test_url ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Generates a random redirect URL to use in tests.

Returns:

• (String) —

  A random URL to https://ronin-rb.dev/vulns/open_redirect.html.

# File 'lib/ronin/vulns/open_redirect.rb', line 67

def self.random_test_url
  "https://ronin-rb.dev/vulns/open_redirect.html?id=#{Chars::ALPHA_NUMERIC.random_string(5)}"
end

.vuln_type ⇒ Symbol

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method is abstract.

Note:

This is used internally to map an vulnerability class to a printable type.

Returns the type or kind of vulnerability.

Returns:

• (Symbol)

# File 'lib/ronin/vulns/open_redirect.rb', line 147

def self.vuln_type
  :open_redirect
end

Instance Method Details

#vulnerable? ⇒ Boolean

Tests whether the URL has a vulnerable Open Redirect.

Returns:

• (Boolean)

# File 'lib/ronin/vulns/open_redirect.rb', line 76

def vulnerable?
  response = exploit(@test_url)

  case response.code
  when '301', '302', '303', '307', '308'
    if (locations = response.get_fields('Location'))
      escaped_test_url = Regexp.escape(@test_url)
      regexp           = /\A#{escaped_test_url}.*\z/

      locations.last =~ regexp
    end
  else
    content_type = response.content_type

    if content_type && content_type.include?('text/html')
      escaped_test_url = Regexp.escape(CGI.escapeHTML(@test_url))

      regexp = %r{
        <meta\s+
          http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
          content\s*=\s*
          (?:
            # content="..."
            "\s*\d+\s*;\s*url\s*=\s*
            (?:
              # content="0; url='...'"
              '\s*#{escaped_test_url}[^'"]*' |
              # content="0; url=..."
              #{escaped_test_url}[^"]*
            )\s*" |
            # content='...'
            '\s*\d+\s*;\s*url\s*=\s*
            (?:
              # content='0; url="..."'
              "\s*#{escaped_test_url}[^"']*" |
              # content='0; url=...'
              #{escaped_test_url}[^']*
            )\s*' |
            # content=...
            \s*\d+;url=(?:
              # content=0;url="..."
              "\s*#{escaped_test_url}[^\s"]*" |
              # content=0;url='...'
              '\s*#{escaped_test_url}[^\s']*' |
              # content=0;url=...
              #{escaped_test_url}[^\s/>]*
            )
          )
          \s*
          # /> or / >
          (?:/\s*)?>
      }xi

      response.body =~ regexp
    end
  end
end