Robust and blazing fast open-redirect vulnerability scanner with ability of recursevely crawling all of web-forms, entry points, or links with data.

Related tags

Third-party APIs Wrappersfuzz300
Overview

After Golismero project got dead there is no more any up to date open-source tool that can collect links with parametrs and web-forms and then test them, so i decided to write one by my own. At the first step this tool does collect all the entry-points for the target website and then tryes to find open redirect vulnerability.

Why this project is better than other open-redirect scanners? It does recursevely crawl all the links from the target website and finds potential vulnerable web-forms by itself instead of using CommonCrawl or getting links list from user input. In the future i will probably add more modules to fuzz for SQL Injections and XSS.

Instalation

~$ git clone https://github.com/d34db33f-1007/fuzz300.git
~$ pip3 install -r requirements.txt

Usage

~$ python3.8 fuzz300.py -u https://example.com
~$ python3.8 fuzz300.py -u https://www.example.com -c 'Cookie: user=admin'

After running you will also find newly created files with interesting links and all website entry-points.

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com
• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]
------ The unicode character U+202E changes all subsequent text to be right-to-left
------ E.g.: https://hackerone.com/reports/299403

Exploitation

• Phishing
• Chaining open redirect with
-- • SSRF
-- • OAuth token disclosure
-- • XSS
-- • CRLF injection

Open redirect writeups

Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
Hackerone report 101962: Open Redirect on Shopify, $500
Hackerone report 55546: Open Redirect on Shopify, $500
Hackerone report 55525: Open Redirect on Shopify, $500
Hackerone report 169759: Open Redirect on Shopify, $500
Hackerone report 160047: Open Redirect on Shopify, $500
Hackerone report 103772: Open Redirect on Shopify, $500
Hackerone report 159522: Open Redirect on Shopify, $500

You might also like...
Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

Code X Botz 1.2k Jan 8, 2023
File-sharing-Bot: Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

null 1 Dec 17, 2021
Telegram Bot to store Posts and Documents and it can Access by Special Links.
Telegram Bot to store Posts and Documents and it can Access by Special Links.

Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 . Features Fully cu

REX BOTZ 1 Dec 23, 2021
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.

Yukki Music Bot Yukki Music Bot is a Powerful Telegram Music+Video Bot written in Python using Pyrogram and Py-Tgcalls by which you can stream songs,

Team Yukki 996 Dec 28, 2022
CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

null 8 May 25, 2022
just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam these websides with fake logins

scam-webside-spammer just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam the

TerrificTable 3 Sep 23, 2022
Robot to convert files to direct links, hosting files on Telegram servers, unlimited and without restrictions

stream-cloud demo : downloader_star_bot Run : Docker : install docker , docker-compose set Environment or edit Config/init.py docker-compose up Heroku

null 53 Dec 21, 2022
A Discord bot to combat phishing links for Steam trades and Discord gifts.

delink-bot A Discord bot to combat phishing links for Steam trades and Discord gifts. Requirement python3 -m pip install -U discord.py python3 -m pip

hugonun 15 Dec 9, 2022
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

null 2 Dec 22, 2021
Releases(v1.0.0)
Owner
railway zeppelin
all paths lead to clouds | https://t.me/ju_oj
railway zeppelin
GitHub Repository
RedFish API Toolkit

RedFish API Toolkit RedFish API Toolkit Build Status GitHub Actions Travis CI Requirements requirements.txt requirements-dev.txt Dependencies Document

Larry Smith Jr. 1 Nov 20, 2021
𝐀 𝐦𝐨𝐝𝐮𝐥𝐚𝐫 𝐓𝐞𝐥𝐞𝐠𝐫𝐚𝐦 𝐆𝐫𝐨𝐮𝐩 𝐦𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐛𝐨𝐭 𝐰𝐢𝐭𝐡 𝐮𝐥𝐭𝐢𝐦𝐚𝐭𝐞 𝐟𝐞𝐚𝐭𝐮𝐫𝐞𝐬 !!

𝐇𝐨𝐰 𝐓𝐨 𝐃𝐞𝐩𝐥𝐨𝐲 For easiest way to deploy this Bot click on the below button 𝐌𝐚𝐝𝐞 𝐁𝐲 𝐒𝐮𝐩𝐩𝐨𝐫𝐭 𝐆𝐫𝐨𝐮𝐩 𝐒𝐨𝐮𝐫𝐜𝐞𝐬 𝐆𝐞𝐧𝐞?

Mukesh Solanki 4 Oct 18, 2021
This Discord bot is to give timely notifications to Students in the Lakehead CS 2021 Guild

Discord-Bot Goal of Project The purpose of this Discord bot is to give timely notifications to Students in the Lakehead CS 2021 Guild. How can I contr

8 Jan 30, 2022
Handles SDVX EXCEED GEAR result screen photos and attempts to read it.

Handles SDVX EXCEED GEAR result screen photos and attempts to read it.

silverhawke 1 Jan 08, 2022
Accurately dump Commodore 64 tapes

TrueTape64 A cheap, easy to build adapter to interface a Commodore 1530 (C2N) Datasette to your PC to dump and preserve your aging Commodore 64 softwa

francesco 38 Dec 03, 2022
Financial portfolio optimisation in python, including classical efficient frontier, Black-Litterman, Hierarchical Risk Parity

PyPortfolioOpt has recently been published in the Journal of Open Source Software 🎉 PyPortfolioOpt is a library that implements portfolio optimizatio

Robert Martin 3.2k Jan 02, 2023
Space Bot, a Discord bot built for HackerSpace Club of PES University

Space Bot Space Bot, a Discord bot built for HackerSpace Club of PES University What can Space Bot do? Space Bot allows you to lookup any mentor or to

HackerSpace @PESU 7 Oct 23, 2022
Termux Pkg

PKG Install Termux All Basic Pkg. Installation : pkg update && pkg upgrade && pkg install python && pkg install python2 && pkg install git && git clon

ɴᴏʙɪᴛᴀシ︎ 1 Oct 28, 2021
Python SDK for Thepeer

Python SDK for Thepeer

Oluwafemi Tairu 2 Dec 22, 2021
Telegram RAT written in Python

teleRAT Python based RAT that uses Telegram for sending commands and receiving data to and from a victim computer. Setup.py Insert your API key into t

96 Jan 01, 2023
A script written in python3 for bruteforcing Gmail accounts.

GmailBruteforce Made for bruteforcing gmail accounts. It needs Less Secure Apps setting turned on in order to work. Installation For windows git clone

Shinero 4 Sep 16, 2022
Script to get a notification when a product, on Amazon Warehouse, is available within a target price

Amazon_Warehouse_Scraping This script aims to scrape Amazon Warehouse and send an email back if there are products whose price matches with the target

2 Oct 25, 2021
Twitter-bot - A Simple Twitter bot with python

twitterbot To use this bot, You will require API Key and Access Key. Signup at h

Bentil Shadrack 8 Nov 18, 2022
Monetize your apps with KivAds using Google AdMob api.

KivAds(WIP) Monetize your apps with KivAds using Google AdMob api. KivAds uses the latest version of Google AdMob sdk(version 20.0.0). KivAds exposes

Guhan Sensam 16 Nov 05, 2022
Python client for Invidious' JSON API

Python project template A template for new Python projects. Features Automatically builds PDoc documentation & uploads package to PyPI on new GitHub r

Kevo 2 Jun 05, 2022
A python script that can send notifications to your phone via SMS text

Discord SMS Notification A python script that help you send text message to your phone one of your desire discord channel have a new message. The proj

2 Apr 25, 2022
Flood discord webhooks

Webhook-Spammer Flood discord webhooks Asynchronous webhook spammer Fast & Efficient Usage - Use it with atleast 500 threads Put a valid webhook Use a

trey 1 Apr 22, 2022
An advanced telegram movie information finder bot

An advanced telegram movie information finder bot

Fayas Noushad 22 Aug 23, 2022
ARKHAM X GOD MULTISPAM BOT

ARKHAM-X-GOD-MULTISPAM-BOT 𝗗𝗘𝗣𝗟𝗢𝗬 𝗨𝗣𝗧𝗢 30 𝗕𝗢𝗧𝗦 𝗜𝗡 𝗔 𝗦𝗜𝗡𝗚𝗟?

ArkhamXGod 2 Jan 08, 2022
FTP Anonymous Login

FTPAnon FTP Anonymous Login Install git clone https://github.com/SiThuTuntimehacker/FTPAnon cd FTPAnon bash install.sh access ftp sever " ftpaccess.tx

SiThuTun 3 Mar 23, 2022