fix 5.1.5.yaml

OWASP · May 13, 2024 · 1deccd3 · 1deccd3
1 parent 56f128e
commit 1deccd3
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/templates/5.1.5.yaml b/templates/5.1.5.yaml
@@ -10,9 +10,11 @@ info:
     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
     - https://cwe.mitre.org/data/definitions/601.html
     - https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
+    - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/open-redirect-generic.yaml
+    - https://snbig.github.io/Vulnerable-Pages/ASVS_5_1_5/
   tags: asvs,5.1.5
   description: |
-    Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content.
+    Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content.  
 
 variables:
   vulnerable_parameter: "url"
@@ -23,7 +25,8 @@ http:
       - "{{BaseURL}}/{{payload}}"
       - "{{BaseURL}}//{{payload}}"
       - "{{BaseURL}}/?{{vulnerable_parameter}}={{payload}}"
-
+      - "{{BaseURL}}?{{vulnerable_parameter}}={{payload}}"
+
     payloads:
       payload:
         - '%0a/evil.com/'
@@ -135,4 +138,4 @@ http:
           - 303
           - 304
           - 307
-          - 308
+          - 308