mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-15 21:11:02 +02:00
[pitboss] phase 09: Track J.7 + Track L.7 — OPEN_REDIRECT corpus + redirect-aware adapters
This commit is contained in:
parent
5697763f28
commit
b881af5d93
47 changed files with 2592 additions and 32 deletions
16
tests/dynamic_fixtures/open_redirect/go/benign.go
Normal file
16
tests/dynamic_fixtures/open_redirect/go/benign.go
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
// Phase 09 (Track J.7) — Go OPEN_REDIRECT benign control fixture.
|
||||
//
|
||||
// The handler ignores the attacker-supplied value and redirects to a
|
||||
// same-origin path; the captured `Location:` header carries no
|
||||
// off-origin authority.
|
||||
package vuln
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
func Run(c *gin.Context, value string) {
|
||||
c.Redirect(http.StatusFound, "/dashboard")
|
||||
}
|
||||
16
tests/dynamic_fixtures/open_redirect/go/vuln.go
Normal file
16
tests/dynamic_fixtures/open_redirect/go/vuln.go
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
// Phase 09 (Track J.7) — Go OPEN_REDIRECT vuln fixture.
|
||||
//
|
||||
// The gin handler splices `value` straight into
|
||||
// `gin.Context.Redirect` without host validation; an attacker URL
|
||||
// routes the captured `Location:` header off-origin.
|
||||
package vuln
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
func Run(c *gin.Context, value string) {
|
||||
c.Redirect(http.StatusFound, value)
|
||||
}
|
||||
12
tests/dynamic_fixtures/open_redirect/java/Benign.java
Normal file
12
tests/dynamic_fixtures/open_redirect/java/Benign.java
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
// Phase 09 (Track J.7) — Java OPEN_REDIRECT benign control fixture.
|
||||
//
|
||||
// The function ignores the attacker-supplied value and always
|
||||
// redirects to the same-origin path `/dashboard`, so the captured
|
||||
// `Location:` header has no off-origin authority.
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
public class Benign {
|
||||
public static void run(HttpServletResponse response, String value) throws Exception {
|
||||
response.sendRedirect("/dashboard");
|
||||
}
|
||||
}
|
||||
13
tests/dynamic_fixtures/open_redirect/java/Vuln.java
Normal file
13
tests/dynamic_fixtures/open_redirect/java/Vuln.java
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
// Phase 09 (Track J.7) — Java OPEN_REDIRECT vuln fixture.
|
||||
//
|
||||
// The function passes `value` straight into
|
||||
// `HttpServletResponse.sendRedirect` without host validation. A
|
||||
// payload carrying `https://attacker.test/` sends the response's
|
||||
// `Location:` header off-origin.
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
public class Vuln {
|
||||
public static void run(HttpServletResponse response, String value) throws Exception {
|
||||
response.sendRedirect(value);
|
||||
}
|
||||
}
|
||||
13
tests/dynamic_fixtures/open_redirect/js/benign.js
Normal file
13
tests/dynamic_fixtures/open_redirect/js/benign.js
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
// Phase 09 (Track J.7) — JavaScript OPEN_REDIRECT benign control
|
||||
// fixture.
|
||||
//
|
||||
// The handler ignores the attacker-supplied value and redirects to a
|
||||
// same-origin path; the captured `Location:` header carries no
|
||||
// off-origin authority.
|
||||
const express = require('express');
|
||||
|
||||
function run(req, res, value) {
|
||||
res.redirect('/dashboard');
|
||||
}
|
||||
|
||||
module.exports = { run };
|
||||
12
tests/dynamic_fixtures/open_redirect/js/vuln.js
Normal file
12
tests/dynamic_fixtures/open_redirect/js/vuln.js
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
// Phase 09 (Track J.7) — JavaScript OPEN_REDIRECT vuln fixture.
|
||||
//
|
||||
// The Express handler splices `value` straight into `res.redirect`
|
||||
// without host validation; an attacker URL routes the captured
|
||||
// `Location:` header off-origin.
|
||||
const express = require('express');
|
||||
|
||||
function run(req, res, value) {
|
||||
res.redirect(value);
|
||||
}
|
||||
|
||||
module.exports = { run };
|
||||
11
tests/dynamic_fixtures/open_redirect/php/benign.php
Normal file
11
tests/dynamic_fixtures/open_redirect/php/benign.php
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
<?php
|
||||
// Phase 09 (Track J.7) — PHP OPEN_REDIRECT benign control fixture.
|
||||
//
|
||||
// The function ignores the attacker-supplied value and redirects to
|
||||
// a same-origin path; the captured `Location:` header carries no
|
||||
// off-origin authority.
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
|
||||
function run(string $value): RedirectResponse {
|
||||
return new RedirectResponse('/dashboard');
|
||||
}
|
||||
11
tests/dynamic_fixtures/open_redirect/php/vuln.php
Normal file
11
tests/dynamic_fixtures/open_redirect/php/vuln.php
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
<?php
|
||||
// Phase 09 (Track J.7) — PHP OPEN_REDIRECT vuln fixture.
|
||||
//
|
||||
// The function splices `$value` into a Symfony `RedirectResponse`
|
||||
// without host validation; an attacker URL routes the
|
||||
// `Location:` header off-origin.
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
|
||||
function run(string $value): RedirectResponse {
|
||||
return new RedirectResponse($value);
|
||||
}
|
||||
10
tests/dynamic_fixtures/open_redirect/python/benign.py
Normal file
10
tests/dynamic_fixtures/open_redirect/python/benign.py
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Phase 09 (Track J.7) — Python OPEN_REDIRECT benign control fixture.
|
||||
#
|
||||
# The function ignores the attacker-supplied value and redirects to a
|
||||
# same-origin path, so the captured `Location:` header carries no
|
||||
# off-origin authority.
|
||||
from flask import redirect
|
||||
|
||||
|
||||
def run(value):
|
||||
return redirect("/dashboard")
|
||||
10
tests/dynamic_fixtures/open_redirect/python/vuln.py
Normal file
10
tests/dynamic_fixtures/open_redirect/python/vuln.py
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Phase 09 (Track J.7) — Python OPEN_REDIRECT vuln fixture.
|
||||
#
|
||||
# The function passes `value` straight into `flask.redirect` without
|
||||
# host validation. A payload carrying `https://attacker.test/` sends
|
||||
# the response's `Location:` header off-origin.
|
||||
from flask import redirect
|
||||
|
||||
|
||||
def run(value):
|
||||
return redirect(value)
|
||||
12
tests/dynamic_fixtures/open_redirect/ruby/benign.rb
Normal file
12
tests/dynamic_fixtures/open_redirect/ruby/benign.rb
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# Phase 09 (Track J.7) — Ruby OPEN_REDIRECT benign control fixture.
|
||||
#
|
||||
# The function ignores the attacker-supplied value and redirects to a
|
||||
# same-origin path; the captured `Location:` header carries no
|
||||
# off-origin authority.
|
||||
require 'rack'
|
||||
|
||||
def run(value)
|
||||
response = Rack::Response.new
|
||||
response.redirect('/dashboard')
|
||||
response
|
||||
end
|
||||
12
tests/dynamic_fixtures/open_redirect/ruby/vuln.rb
Normal file
12
tests/dynamic_fixtures/open_redirect/ruby/vuln.rb
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# Phase 09 (Track J.7) — Ruby OPEN_REDIRECT vuln fixture.
|
||||
#
|
||||
# The function splices `value` straight into
|
||||
# `Rack::Response#redirect` without host validation; an attacker URL
|
||||
# routes the captured `Location:` header off-origin.
|
||||
require 'rack'
|
||||
|
||||
def run(value)
|
||||
response = Rack::Response.new
|
||||
response.redirect(value)
|
||||
response
|
||||
end
|
||||
10
tests/dynamic_fixtures/open_redirect/rust/benign.rs
Normal file
10
tests/dynamic_fixtures/open_redirect/rust/benign.rs
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
// Phase 09 (Track J.7) — Rust OPEN_REDIRECT benign control fixture.
|
||||
//
|
||||
// The handler ignores the attacker-supplied value and redirects to a
|
||||
// same-origin path; the captured `Location:` header carries no
|
||||
// off-origin authority.
|
||||
use axum::response::Redirect;
|
||||
|
||||
pub fn run(_value: String) -> Redirect {
|
||||
Redirect::to("/dashboard")
|
||||
}
|
||||
10
tests/dynamic_fixtures/open_redirect/rust/vuln.rs
Normal file
10
tests/dynamic_fixtures/open_redirect/rust/vuln.rs
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
// Phase 09 (Track J.7) — Rust OPEN_REDIRECT vuln fixture.
|
||||
//
|
||||
// The handler splices `value` straight into `Redirect::to` without
|
||||
// host validation; an attacker URL routes the captured `Location:`
|
||||
// header off-origin.
|
||||
use axum::response::Redirect;
|
||||
|
||||
pub fn run(value: String) -> Redirect {
|
||||
Redirect::to(&value)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue