Robust and blazing fast open-redirect vulnerability scanner with ability of recursevely crawling all of web-forms, entry points, or links with data.

Last update: Aug 25, 2022

Related tags

Third-party APIs Wrappers fuzz300

Overview

After Golismero project got dead there is no more any up to date open-source tool that can collect links with parametrs and web-forms and then test them, so i decided to write one by my own. At the first step this tool does collect all the entry-points for the target website and then tryes to find open redirect vulnerability.

Why this project is better than other open-redirect scanners? It does recursevely crawl all the links from the target website and finds potential vulnerable web-forms by itself instead of using CommonCrawl or getting links list from user input. In the future i will probably add more modules to fuzz for SQL Injections and XSS.

Instalation

~$ git clone https://github.com/d34db33f-1007/fuzz300.git
~$ pip3 install -r requirements.txt

Usage

~$ python3.8 fuzz300.py -u https://example.com
~$ python3.8 fuzz300.py -u https://www.example.com -c 'Cookie: user=admin'

After running you will also find newly created files with interesting links and all website entry-points.

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com
• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]
------ The unicode character U+202E changes all subsequent text to be right-to-left
------ E.g.: https://hackerone.com/reports/299403

Exploitation

• Phishing
• Chaining open redirect with
-- • SSRF
-- • OAuth token disclosure
-- • XSS
-- • CRLF injection

Open redirect writeups

• Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
• Hackerone report 101962: Open Redirect on Shopify, $500
• Hackerone report 55546: Open Redirect on Shopify, $500
• Hackerone report 55525: Open Redirect on Shopify, $500
• Hackerone report 169759: Open Redirect on Shopify, $500
• Hackerone report 160047: Open Redirect on Shopify, $500
• Hackerone report 103772: Open Redirect on Shopify, $500
• Hackerone report 159522: Open Redirect on Shopify, $500

Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

1.2k Jan 8, 2023

File-sharing-Bot: Telegram Bot to store Posts and Documents and it can Access by Special Links.

1 Dec 17, 2021

Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 . Features Fully cu

1 Dec 23, 2021

Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.

Yukki Music Bot Yukki Music Bot is a Powerful Telegram Music+Video Bot written in Python using Pyrogram and Py-Tgcalls by which you can stream songs,

996 Dec 28, 2022

CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

8 May 25, 2022

just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam these websides with fake logins

scam-webside-spammer just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam the

3 Sep 23, 2022

Robot to convert files to direct links, hosting files on Telegram servers, unlimited and without restrictions

stream-cloud demo : downloader_star_bot Run : Docker : install docker , docker-compose set Environment or edit Config/init.py docker-compose up Heroku

53 Dec 21, 2022

A Discord bot to combat phishing links for Steam trades and Discord gifts.

delink-bot A Discord bot to combat phishing links for Steam trades and Discord gifts. Requirement python3 -m pip install -U discord.py python3 -m pip

15 Dec 9, 2022

API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

2 Dec 22, 2021

Robust and blazing fast open-redirect vulnerability scanner with ability of recursevely crawling all of web-forms, entry points, or links with data.

Related tags

Overview

Instalation

Usage

Tips

Exploitation

Open redirect writeups

You might also like...

Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot: Telegram Bot to store Posts and Documents and it can Access by Special Links.

Telegram Bot to store Posts and Documents and it can Access by Special Links.

Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.

CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam these websides with fake logins

Robot to convert files to direct links, hosting files on Telegram servers, unlimited and without restrictions

A Discord bot to combat phishing links for Steam trades and Discord gifts.

API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

Releases(v1.0.0)

v1.0.0(Jan 16, 2022)

Owner

railway zeppelin

A bot written in Python to automate attending classes on MyClass (Codetantra).

A basic implementation of the Battlesnake API in Python

My Advent of Code solutions. I also upload videos of my solves: https://www.youtube.com/channel/UCuWLIm0l4sDpEe28t41WITA

8300-account-nuker - A simple accoutn nuker or can use it full closing dm and leaving server

A file-based quote bot written in Python

A little proxy tool based on Tencent Cloud Function Service.

A Bot To Get Info Of Telegram messages , Media , Channel id Group ID etc.

A modern Python client for controlling Wyze devices.

Sends messages to a Discord webhook whenever you make a new commit to your local git repository.

A Python library for the Buildkite API

Automatically check for free Anmeldung appointments.

Python JIRA Library is the easiest way to automate JIRA. Support for py27 was dropped on 2019-10-14, do not raise bugs related to it.

Simple Telegram Bot to extract various types of archives from a telegram file or a direct link

This package allows interactions with the BuyCoins API.

✖️ Unofficial API of 1337x.to

An API-driven solution for Makerspaces, Tinkerers, and Hackers.

Decryption utility for PGP Whole Disk Encryption

EduuRobot Telegram bot source code.

𝘼 𝙗𝙤𝙩 𝙩𝙝𝙖𝙩 𝙘𝙖𝙣 𝙥𝙡𝙖𝙮 𝙢𝙪𝙨𝙞𝙘 𝙤𝙣 𝙏𝙚𝙡𝙚𝙜𝙧𝙖𝙢 𝙂𝙧𝙤𝙪𝙥 𝙖𝙣𝙙 𝘾𝙝𝙖𝙣𝙣𝙚𝙡 𝙑𝙤𝙞𝙘𝙚 𝘾𝙝𝙖𝙩𝙨