open-redirect-fuzz.yaml

id: open-redirect

info:
  name: Open Redirect Fuzzer
  author: dat-ayush
  severity: medium
  description: |
    Fuzzes every endpoint for open redirect vulnerabilities
  tags: open-redirect

http:
  - method: GET
    path:
      - "{{BaseURL}}{{params}}"
    payloads:
      params:
        - "?redirect=https://example.com"
        - "?url=https://example.com"
        - "?next=https://example.com"
        - "?goto=https://example.com"
        - "?destination=https://example.com"
        - "?forward=https://example.com"
        - "?out=https://example.com"
        - "?link=https://example.com"
        - "?target=https://example.com"
        - "?to=https://example.com"
        - "?r=https://example.com"
        - "?return=https://example.com"
        - "?u=https://example.com"
        - "?path=https://example.com"
        - "?continue=https://example.com"
        - "?jump=https://example.com"
        - "?location=https://example.com"
        - "?redir=https://example.com"
        - "?dest=https://example.com"
        - "?uri=https://example.com"
        - "?targetURL=https://example.com"
        - "?linkURL=https://example.com"
        - "?go=https://example.com"
        - "?nav=https://example.com"
        - "?navigate=https://example.com"
        - "?load=https://example.com"
        - "?page=https://example.com"
        - "?url_dest=https://example.com"
        - "?redirect_url=https://example.com"
        - "?redirect_uri=https://example.com"
        - "?ref=https://example.com"
        - "?refer=https://example.com"
        - "?relocate=https://example.com"
        - "?callback=https://example.com"
        - "?back=https://example.com"
        - "?exit=https://example.com"
        - "?click=https://example.com"
        - "?view=https://example.com"
        - "?track=https://example.com"
        - "?move=https://example.com"
        - "?route=https://example.com"
        - "?pass=https://example.com"
        - "?go_to=https://example.com"
        - "?send=https://example.com"
        - "?leap=https://example.com"
        - "?forward_to=https://example.com"
        - "?redirect_to=https://example.com"
        - "?jump_to=https://example.com"
        - "?load_url=https://example.com"
        - "?next_page=https://example.com"
        - "?next_url=https://example.com"
        - "?visit=https://example.com"
        - "?navigate_to=https://example.com"
        - "?return_to=https://example.com"
        - "?target_uri=https://example.com"
        - "?link_to=https://example.com"
        - "?outgoing=https://example.com"
        - "?new_url=https://example.com"
        - "?target_page=https://example.com"
        - "?action=https://example.com"
        - "?proceed=https://example.com"
        - "?referrer=https://example.com"
        - "?origin=https://example.com"
        - "?site=https://example.com"
        - "?way=https://example.com"
        - "?jump_url=https://example.com"
        - "?linkout=https://example.com"
        - "?pass_to=https://example.com"
        - "?fetch=https://example.com"
        - "?path_to=https://example.com"
        - "?external=https://example.com"
        - "?external_url=https://example.com"
        - "?continue_to=https://example.com"
        - "?goto_url=https://example.com"
        - "?redir_to=https://example.com"
        - "?goto_link=https://example.com"
        - "?page_url=https://example.com"
        - "?transfer=https://example.com"
        - "?target_link=https://example.com"
        - "?link_path=https://example.com"
        - "?fetch_url=https://example.com"
        - "?get_url=https://example.com"
        - "?next_dest=https://example.com"
        - "?follow=https://example.com"
        - "?route_to=https://example.com"
        - "?move_to=https://example.com"
        - "?url_redirect=https://example.com"
        - "?next_dest_url=https://example.com"
        - "?direct_to=https://example.com"
        - "?follow_link=https://example.com"
        - "?follow_url=https://example.com"
        - "?new_path=https://example.com"
        - "?proceed_to=https://example.com"
        - "?jump_link=https://example.com"
        - "?jump_route=https://example.com"
        - "?next_dest_link=https://example.com"
        - "?redir_url=https://example.com"
        - "?navigate_link=https://example.com"
        - "?continue_link=https://example.com"
        - "?pass_link=https://example.com"
        - "?redir_path=https://example.com"
        - "?get_to=https://example.com"
        - "?route_link=https://example.com"
        - "?transfer_to=https://example.com"
        - "?target_to=https://example.com"
        - "?jump_page=https://example.com"
        - "?follow_path=https://example.com"
        - "?url_jump=https://example.com"
        - "?site_redirect=https://example.com"
        - "?move_link=https://example.com"
        - "?link_target=https://example.com"
        - "?out_url=https://example.com"
        - "?route_url=https://example.com"
        - "?visit_page=https://example.com"
        - "?jump_target=https://example.com"
        - "?fetch_path=https://example.com"
        - "?relocate_to=https://example.com"
        - "?get_path=https://example.com"
        - "?click_link=https://example.com"
        - "?return_url=https://example.com"
        - "?proceed_link=https://example.com"
        - "?go_link=https://example.com"
        - "?pass_url=https://example.com"
        - "?continue_redirect=https://example.com"
        - "?transfer_link=https://example.com"
        - "?jump_redirect=https://example.com"
        - "?direct_url=https://example.com"
        - "?jump_target_url=https://example.com"
        - "?load_link=https://example.com"
        - "?return_link=https://example.com"
        - "?go_redirect=https://example.com"
        - "?nav_link=https://example.com"
        - "?redirect_path=https://example.com"
        - "?next_link=https://example.com"
        - "?proceed_url=https://example.com"
        - "?fetch_link=https://example.com"
        - "?direct_redirect=https://example.com"
        - "?navigate_path=https://example.com"
        - "?new_redirect=https://example.com"
        - "?move_url=https://example.com"
        - "?relocate_path=https://example.com"
        - "?track_link=https://example.com"
        - "?next_target=https://example.com"
        - "?pass_redirect=https://example.com"
        - "?redir_link=https://example.com"
        - "?url_forward=https://example.com"
        - "?link_redirect=https://example.com"
        - "?forward_link=https://example.com"
        - "?transfer_url=https://example.com"
        - "?site_redirect_url=https://example.com"
        - "?route_redirect=https://example.com"
        - "?page_redirect=https://example.com"
        - "?visit_link=https://example.com"
        - "?jump_to_url=https://example.com"
        - "?load_redirect=https://example.com"
        - "?follow_redirect=https://example.com"
        - "?redir_target=https://example.com"
        - "?fetch_redirect=https://example.com"
        - "?click_redirect=https://example.com"
        - "?track_redirect=https://example.com"
        - "?redirect_target=https://example.com"
        - "?redirect_next=https://example.com"
        - "?out_link=https://example.com"
        - "?move_redirect=https://example.com"
        - "?route_target=https://example.com"
        - "?target_redirect=https://example.com"
        - "?path_redirect=https://example.com"
        - "?load_target=https://example.com"
        - "?url_move=https://example.com"
        - "?site_target=https://example.com"
        - "?send_to=https://example.com"
        - "?fetch_target=https://example.com"
        - "?track_path=https://example.com"
        - "?visit_target=https://example.com"
        - "?track_to=https://example.com"
        - "?follow_target=https://example.com"
        - "?send_redirect=https://example.com"
        - "?move_target=https://example.com"
        - "?redirect_follow=https://example.com"
        - "?route_next=https://example.com"
        - "?direct_target=https://example.com"
        - "?new_target=https://example.com"
        - "?jump_follow=https://example.com"
        - "?navigate_redirect=https://example.com"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'