Class: Ronin::Vulns::OpenRedirect

Inherits:
WebVuln show all
Defined in:
lib/ronin/vulns/open_redirect.rb

Overview

Represents an Open Redirect vulnerability.

Features

  • Checks 301, 302, 303, 307, and 308 HTTP redirects.
  • Checks meta refresh redirects.
  • Includes random alpha-numeric data in the test values.

Instance Attribute Summary collapse

Attributes inherited from WebVuln

#cookie, #cookie_param, #form_data, #form_param, #header_name, #headers, #http, #password, #query_param, #query_params, #referer, #request_method, #url, #user

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from WebVuln

#encode_payload, #exploit, #exploit_cookie, #exploit_form_data, #exploit_headers, #exploit_query_params, #original_value, #random_value, #request, scan, scan_cookie_params, scan_form_params, scan_headers, scan_query_params, test, #to_curl, #to_http, #to_s

Constructor Details

#initialize(url, test_url: self.class.random_test_url, **kwargs) ⇒ OpenRedirect

Initializes the Open Redirect vulnerability.

Parameters:

  • url (String, URI::HTTP)

    The URL to exploit.

  • test_url (String) (defaults to: self.class.random_test_url)

    The desired redirect URL to test the URL with.



53
54
55
56
57
# File 'lib/ronin/vulns/open_redirect.rb', line 53

def initialize(url, test_url: self.class.random_test_url, **kwargs)
  super(url,**kwargs)

  @test_url = test_url
end

Instance Attribute Details

#test_urlString (readonly)

The desired redirect URL to use in the test.

Returns:

  • (String)


42
43
44
# File 'lib/ronin/vulns/open_redirect.rb', line 42

def test_url
  @test_url
end

Class Method Details

.random_test_urlString

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Generates a random redirect URL to use in tests.

Returns:



67
68
69
# File 'lib/ronin/vulns/open_redirect.rb', line 67

def self.random_test_url
  "https://ronin-rb.dev/vulns/open_redirect.html?id=#{Chars::ALPHA_NUMERIC.random_string(5)}"
end

.vuln_typeSymbol

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method is abstract.
Note:

This is used internally to map an vulnerability class to a printable type.

Returns the type or kind of vulnerability.

Returns:

  • (Symbol)


123
124
125
# File 'lib/ronin/vulns/open_redirect.rb', line 123

def self.vuln_type
  :open_redirect
end

Instance Method Details

#vulnerable?Boolean

Tests whether the URL has a vulnerable Open Redirect.

Returns:

  • (Boolean)


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'lib/ronin/vulns/open_redirect.rb', line 76

def vulnerable?
  response = exploit(@test_url)

  case response.code
  when '301', '302', '303', '307', '308'
    if (locations = response.get_fields('Location'))
      escaped_test_url = Regexp.escape(@test_url)
      regexp           = /\A#{escaped_test_url}(?:[\?&].+)?\z/

      locations.last =~ regexp
    end
  else
    content_type = response.content_type

    if content_type && content_type.include?('text/html')
      escaped_test_url = Regexp.escape(CGI.escapeHTML(@test_url))

      regexp = %r{
        <meta\s+
          http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
          content\s*=\s*
          (?:
           "\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|
           '\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|
           \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' )
          )\s*
          (?:/\s*)?>
      }xi

      response.body =~ regexp
    end
  end
end