Robust and blazing fast open-redirect vulnerability scanner with ability of recursevely crawling all of web-forms, entry points, or links with data.

Related tags

Third-party APIs Wrappersfuzz300
Overview

After Golismero project got dead there is no more any up to date open-source tool that can collect links with parametrs and web-forms and then test them, so i decided to write one by my own. At the first step this tool does collect all the entry-points for the target website and then tryes to find open redirect vulnerability.

Why this project is better than other open-redirect scanners? It does recursevely crawl all the links from the target website and finds potential vulnerable web-forms by itself instead of using CommonCrawl or getting links list from user input. In the future i will probably add more modules to fuzz for SQL Injections and XSS.

Instalation

~$ git clone https://github.com/d34db33f-1007/fuzz300.git
~$ pip3 install -r requirements.txt

Usage

~$ python3.8 fuzz300.py -u https://example.com
~$ python3.8 fuzz300.py -u https://www.example.com -c 'Cookie: user=admin'

After running you will also find newly created files with interesting links and all website entry-points.

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com
• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]
------ The unicode character U+202E changes all subsequent text to be right-to-left
------ E.g.: https://hackerone.com/reports/299403

Exploitation

• Phishing
• Chaining open redirect with
-- • SSRF
-- • OAuth token disclosure
-- • XSS
-- • CRLF injection

Open redirect writeups

Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
Hackerone report 101962: Open Redirect on Shopify, $500
Hackerone report 55546: Open Redirect on Shopify, $500
Hackerone report 55525: Open Redirect on Shopify, $500
Hackerone report 169759: Open Redirect on Shopify, $500
Hackerone report 160047: Open Redirect on Shopify, $500
Hackerone report 103772: Open Redirect on Shopify, $500
Hackerone report 159522: Open Redirect on Shopify, $500

You might also like...
Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

Code X Botz 1.2k Jan 8, 2023
File-sharing-Bot: Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

null 1 Dec 17, 2021
Telegram Bot to store Posts and Documents and it can Access by Special Links.
Telegram Bot to store Posts and Documents and it can Access by Special Links.

Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 . Features Fully cu

REX BOTZ 1 Dec 23, 2021
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.

Yukki Music Bot Yukki Music Bot is a Powerful Telegram Music+Video Bot written in Python using Pyrogram and Py-Tgcalls by which you can stream songs,

Team Yukki 996 Dec 28, 2022
CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

null 8 May 25, 2022
just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam these websides with fake logins

scam-webside-spammer just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam the

TerrificTable 3 Sep 23, 2022
Robot to convert files to direct links, hosting files on Telegram servers, unlimited and without restrictions

stream-cloud demo : downloader_star_bot Run : Docker : install docker , docker-compose set Environment or edit Config/init.py docker-compose up Heroku

null 53 Dec 21, 2022
A Discord bot to combat phishing links for Steam trades and Discord gifts.

delink-bot A Discord bot to combat phishing links for Steam trades and Discord gifts. Requirement python3 -m pip install -U discord.py python3 -m pip

hugonun 15 Dec 9, 2022
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

null 2 Dec 22, 2021
Releases(v1.0.0)
Owner
railway zeppelin
all paths lead to clouds | https://t.me/ju_oj
railway zeppelin
GitHub Repository
A Telegram Bot That Provides Permanent Download Links For Sent Files.

FileStreamBot A Telegram bot to all media and documents files to web link . Report a Bug | Request Feature Demo Bot: 🍁 About This Bot : This bot will

Flux Inc. 1 Nov 02, 2021
Injector/automatic translator (using deepL API) for Tsukihime Remake

deepLuna Extractor/Editor/Translator/Injector for Tsukihime Remake About deepLuna, from "deepL", the machine translation service, and "Luna", the name

30 Dec 15, 2022
YuuScource - A Discord bot made with Pycord

Yuu A Discord bot made with Pycord Features Not much lol • Easy to use commands

kekda 9 Feb 17, 2022
Discord bot that automatically fills out health screenings

Auto Covid Bot Automatically fill out the NYC DOE health screening form by registering with a discord bot School code can be found on https://schoolse

Cleo 2 Jul 29, 2022
discord vc exploit to lightly lag vcs

discord-vc-reconnector discord vc exploit to lag vcs how to use open the py file, then open devtools on discord, go to network and join a vc, dont sta

Tesco 30 Aug 09, 2022
Python bindings to the Syncthing REST interface.

python-syncthing Python bindings to the Syncthing REST interface. Python API Documentation Syncthing Syncthing REST Documentation Syncthing Forums $ p

Blake VandeMerwe 64 Aug 13, 2022
Python wrapper for Revolt API

defectio is a direct implementation of the entire Revolt API and provides a way to authenticate and start communicating with Revolt servers. Similar interface to discord.py

Leon Bowie 26 Sep 18, 2022
WhatsApp Multi Device Client

WhatsApp Multi Device Client

23 Nov 18, 2022
Popcorn-time-api - Python API for interacting with the Popcorn Time Servers

Popcorn Time API 📝 CONTRIBUTIONS Before doing any contribution read CONTRIBUTIN

Antonio 3 Oct 31, 2022
Die wichtigsten APIs Deutschlands in einem Python Paket.

Deutschland A python package that gives you easy access to the most valuable datasets of Germany. Installation pip install deutschland Geographic data

Bundesstelle für Open Data 921 Jan 08, 2023
Telegram Group Chat Statistics With Python

Telegram Group Chat Statistics How to Run First add PYTHONPATH in repository root directory enviroment variable by running: export PYTHONPATH=${PWD}

Sina Nazem 3 Apr 18, 2022
Terminal Bot which will Execute your Commands From telegram bot!

Terminal-Bot see this bot alive: https://t.me/HerokuTerminal_Bot With this bot you can execute system commands on your server. how to config? clone or

Moshe 41 Dec 09, 2022
pyhakuna is a client to access the API of the time keeping service hakuna.ch.

pyhakuna pyhakuna is a client to access the API of the time keeping service hakuna.ch. The Hakuna API is – unfortunately – personal and currently does

Christian Mäder 1 Feb 15, 2022
News API consisting various sources from Tanzania

Tanzania News API News API consisting various sources from Tanzania. Fork the project Clone the project git clone https://github.com/username/news-a

Innocent Zenda 6 Oct 06, 2022
A Telegram bot written in python.

telegram_bot This bot is currently a beta project. Features A telegram bot which can: Send current COVID-19 cases/stats of Germany Send current worth

HuhnCares 1 Jan 11, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 07, 2023
Python wrapper for Stanford CoreNLP.

stanfordcorenlp stanfordcorenlp is a Python wrapper for Stanford CoreNLP. It provides a simple API for text processing tasks such as Tokenization, Par

884 Dec 25, 2022
Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps. Open-sourced by Ermetic.

Access Undenied on AWS Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable fixes. Access U

Ermetic 204 Jan 02, 2023
A simple telegram bot to help you to remove forward tag from post from any messages . Maded in python3 using @Pyrogram . Developed by @Kunal-Diwan

Frwd-Tag-Remover Telegram Bot to Remove forward tag from any Post . If you need any more modes in repo or If you find out any bugs, mention in @Develo

Kunal Diwan 2 Oct 14, 2022
Códigos pela Força Bruta e Algoritmo Genético para o Problema da Mochila

O problema da mochila é um problema de optimização combinatória. O nome dá-se devido ao modelo de uma situação em que é necessário preencher uma mochi

Hemili Beatriz 1 Jan 08, 2022