[pitboss] phase 09: Track J.7 + Track L.7 — OPEN_REDIRECT corpus + redirect-aware adapters

This commit is contained in:
pitboss 2026-05-18 02:32:13 -05:00
parent 5697763f28
commit b881af5d93
47 changed files with 2592 additions and 32 deletions

View file

@ -0,0 +1,16 @@
// Phase 09 (Track J.7) — Go OPEN_REDIRECT benign control fixture.
//
// The handler ignores the attacker-supplied value and redirects to a
// same-origin path; the captured `Location:` header carries no
// off-origin authority.
package vuln
import (
"net/http"
"github.com/gin-gonic/gin"
)
func Run(c *gin.Context, value string) {
c.Redirect(http.StatusFound, "/dashboard")
}

View file

@ -0,0 +1,16 @@
// Phase 09 (Track J.7) — Go OPEN_REDIRECT vuln fixture.
//
// The gin handler splices `value` straight into
// `gin.Context.Redirect` without host validation; an attacker URL
// routes the captured `Location:` header off-origin.
package vuln
import (
"net/http"
"github.com/gin-gonic/gin"
)
func Run(c *gin.Context, value string) {
c.Redirect(http.StatusFound, value)
}

View file

@ -0,0 +1,12 @@
// Phase 09 (Track J.7) Java OPEN_REDIRECT benign control fixture.
//
// The function ignores the attacker-supplied value and always
// redirects to the same-origin path `/dashboard`, so the captured
// `Location:` header has no off-origin authority.
import javax.servlet.http.HttpServletResponse;
public class Benign {
public static void run(HttpServletResponse response, String value) throws Exception {
response.sendRedirect("/dashboard");
}
}

View file

@ -0,0 +1,13 @@
// Phase 09 (Track J.7) Java OPEN_REDIRECT vuln fixture.
//
// The function passes `value` straight into
// `HttpServletResponse.sendRedirect` without host validation. A
// payload carrying `https://attacker.test/` sends the response's
// `Location:` header off-origin.
import javax.servlet.http.HttpServletResponse;
public class Vuln {
public static void run(HttpServletResponse response, String value) throws Exception {
response.sendRedirect(value);
}
}

View file

@ -0,0 +1,13 @@
// Phase 09 (Track J.7) — JavaScript OPEN_REDIRECT benign control
// fixture.
//
// The handler ignores the attacker-supplied value and redirects to a
// same-origin path; the captured `Location:` header carries no
// off-origin authority.
const express = require('express');
function run(req, res, value) {
res.redirect('/dashboard');
}
module.exports = { run };

View file

@ -0,0 +1,12 @@
// Phase 09 (Track J.7) — JavaScript OPEN_REDIRECT vuln fixture.
//
// The Express handler splices `value` straight into `res.redirect`
// without host validation; an attacker URL routes the captured
// `Location:` header off-origin.
const express = require('express');
function run(req, res, value) {
res.redirect(value);
}
module.exports = { run };

View file

@ -0,0 +1,11 @@
<?php
// Phase 09 (Track J.7) — PHP OPEN_REDIRECT benign control fixture.
//
// The function ignores the attacker-supplied value and redirects to
// a same-origin path; the captured `Location:` header carries no
// off-origin authority.
use Symfony\Component\HttpFoundation\RedirectResponse;
function run(string $value): RedirectResponse {
return new RedirectResponse('/dashboard');
}

View file

@ -0,0 +1,11 @@
<?php
// Phase 09 (Track J.7) — PHP OPEN_REDIRECT vuln fixture.
//
// The function splices `$value` into a Symfony `RedirectResponse`
// without host validation; an attacker URL routes the
// `Location:` header off-origin.
use Symfony\Component\HttpFoundation\RedirectResponse;
function run(string $value): RedirectResponse {
return new RedirectResponse($value);
}

View file

@ -0,0 +1,10 @@
# Phase 09 (Track J.7) — Python OPEN_REDIRECT benign control fixture.
#
# The function ignores the attacker-supplied value and redirects to a
# same-origin path, so the captured `Location:` header carries no
# off-origin authority.
from flask import redirect
def run(value):
return redirect("/dashboard")

View file

@ -0,0 +1,10 @@
# Phase 09 (Track J.7) — Python OPEN_REDIRECT vuln fixture.
#
# The function passes `value` straight into `flask.redirect` without
# host validation. A payload carrying `https://attacker.test/` sends
# the response's `Location:` header off-origin.
from flask import redirect
def run(value):
return redirect(value)

View file

@ -0,0 +1,12 @@
# Phase 09 (Track J.7) — Ruby OPEN_REDIRECT benign control fixture.
#
# The function ignores the attacker-supplied value and redirects to a
# same-origin path; the captured `Location:` header carries no
# off-origin authority.
require 'rack'
def run(value)
response = Rack::Response.new
response.redirect('/dashboard')
response
end

View file

@ -0,0 +1,12 @@
# Phase 09 (Track J.7) — Ruby OPEN_REDIRECT vuln fixture.
#
# The function splices `value` straight into
# `Rack::Response#redirect` without host validation; an attacker URL
# routes the captured `Location:` header off-origin.
require 'rack'
def run(value)
response = Rack::Response.new
response.redirect(value)
response
end

View file

@ -0,0 +1,10 @@
// Phase 09 (Track J.7) — Rust OPEN_REDIRECT benign control fixture.
//
// The handler ignores the attacker-supplied value and redirects to a
// same-origin path; the captured `Location:` header carries no
// off-origin authority.
use axum::response::Redirect;
pub fn run(_value: String) -> Redirect {
Redirect::to("/dashboard")
}

View file

@ -0,0 +1,10 @@
// Phase 09 (Track J.7) — Rust OPEN_REDIRECT vuln fixture.
//
// The handler splices `value` straight into `Redirect::to` without
// host validation; an attacker URL routes the captured `Location:`
// header off-origin.
use axum::response::Redirect;
pub fn run(value: String) -> Redirect {
Redirect::to(&value)
}