Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up open redirect fuzzing #901

Merged
merged 12 commits into from
Oct 9, 2024
39 changes: 39 additions & 0 deletions frontend/tests/fuzz/open-redirect/open-redirect.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
import { readFileSync } from 'fs';

import { expect, test } from '../../utils/test-utils.js';

test('open redirect fuzz testing', async ({ logedPage, foldersPage }) => {
test.slow();

await foldersPage.goto();
const folderName = crypto.randomUUID();

await test.step('prepare fuzz open redirect', async () => {
await foldersPage.createItem({ name: folderName });
});

// Payloads courtesy of PayloadsAllTheThings
// https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Open%20Redirect/Intruder/Open-Redirect-payloads.txt
const payloadsFile = './tests/fuzz/open-redirect/payloads.txt';
const payloads = readFileSync(payloadsFile, 'utf8').split('\n');

const href = await foldersPage
.editItemButton(folderName)
.getAttribute('href')
.then((href) => href!.split('?')[0]);

const currentURL = logedPage.page.url();
const parsedURL = new URL(currentURL);
const hostname = parsedURL.hostname;

for await (const [index, payload] of payloads.entries()) {
await test.step(`fuzz open redirect with payload: ${payload} (${index + 1}/${payloads.length})`, async () => {
await logedPage.page.goto(`${href}?next=${payload}`);
await logedPage.page.getByTestId('cancel-button').click();
// Redirecting to next MUST not redirect to another domain
await expect
.soft(logedPage.page)
.toHaveURL(new RegExp(`^.*${hostname}.*$`), { timeout: 1000 });
});
}
});
240 changes: 240 additions & 0 deletions frontend/tests/fuzz/open-redirect/payloads.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,240 @@
//google.com/%2f..
//[email protected]/%2f..
///google.com/%2f..
///[email protected]/%2f..
////google.com/%2f..
////[email protected]/%2f..
https://google.com/%2f..
https://[email protected]/%2f..
/https://google.com/%2f..
/https://[email protected]/%2f..
//www.google.com/%2f%2e%2e
//[email protected]/%2f%2e%2e
///www.google.com/%2f%2e%2e
///[email protected]/%2f%2e%2e
////www.google.com/%2f%2e%2e
////[email protected]/%2f%2e%2e
https://www.google.com/%2f%2e%2e
https://[email protected]/%2f%2e%2e
/https://www.google.com/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
//google.com/
//[email protected]/
///google.com/
///[email protected]/
////google.com/
////[email protected]/
https://google.com/
https://[email protected]/
/https://google.com/
/https://[email protected]/
//google.com//
//[email protected]//
///google.com//
///[email protected]//
////google.com//
////[email protected]//
https://google.com//
https://[email protected]//
//https://google.com//
//https://[email protected]//
//www.google.com/%2e%2e%2f
//[email protected]/%2e%2e%2f
///www.google.com/%2e%2e%2f
///[email protected]/%2e%2e%2f
////www.google.com/%2e%2e%2f
////[email protected]/%2e%2e%2f
https://www.google.com/%2e%2e%2f
https://[email protected]/%2e%2e%2f
//https://www.google.com/%2e%2e%2f
//https://[email protected]/%2e%2e%2f
///www.google.com/%2e%2e
///[email protected]/%2e%2e
////www.google.com/%2e%2e
////[email protected]/%2e%2e
https:///www.google.com/%2e%2e
https:///[email protected]/%2e%2e
//https:///www.google.com/%2e%2e
//www.whitelisteddomain.tld@https:///www.google.com/%2e%2e
/https://www.google.com/%2e%2e
/https://[email protected]/%2e%2e
///www.google.com/%2f%2e%2e
///[email protected]/%2f%2e%2e
////www.google.com/%2f%2e%2e
////[email protected]/%2f%2e%2e
https:///www.google.com/%2f%2e%2e
https:///[email protected]/%2f%2e%2e
/https://www.google.com/%2f%2e%2e
/https://[email protected]/%2f%2e%2e
/https:///www.google.com/%2f%2e%2e
/https:///[email protected]/%2f%2e%2e
/%09/google.com
/%09/[email protected]
//%09/google.com
//%09/[email protected]
///%09/google.com
///%09/[email protected]
////%09/google.com
////%09/[email protected]
https://%09/google.com
https://%09/[email protected]
/%5cgoogle.com
/%[email protected]
//%5cgoogle.com
//%[email protected]
///%5cgoogle.com
///%[email protected]
////%5cgoogle.com
////%[email protected]
https://%5cgoogle.com
https://%[email protected]
/https://%5cgoogle.com
/https://%[email protected]
https://google.com
https://[email protected]
javascript:alert(1);
javascript:alert(1)
//javascript:alert(1);
/javascript:alert(1);
//javascript:alert(1)
/javascript:alert(1)
/%5cjavascript:alert(1);
/%5cjavascript:alert(1)
//%5cjavascript:alert(1);
//%5cjavascript:alert(1)
/%09/javascript:alert(1);
/%09/javascript:alert(1)
java%0d%0ascript%0d%0a:alert(0)
//google.com
https:google.com
//google%E3%80%82com
\/\/google.com/
/\/google.com/
//google%00.com
https://www.whitelisteddomain.tld/https://www.google.com/
";alert(0);//
javascript://www.whitelisteddomain.tld?%a0alert%281%29
http://0xd8.0x3a.0xd6.0xce
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0xd83ad6ce
http://www.whitelisteddomain.tld@0xd83ad6ce
http://3H6k7lIAiqjfNeN@0xd83ad6ce
http://XY>.7d8T\205pZM@0xd83ad6ce
http://3627734734
http://www.whitelisteddomain.tld@3627734734
http://3H6k7lIAiqjfNeN@3627734734
http://XY>.7d8T\205pZM@3627734734
http://472.314.470.462
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0330.072.0326.0316
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.00072.0000326.00000316
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://[::216.58.214.206]
http://www.whitelisteddomain.tld@[::216.58.214.206]
http://3H6k7lIAiqjfNeN@[::216.58.214.206]
http://XY>.7d8T\205pZM@[::216.58.214.206]
http://[::ffff:216.58.214.206]
http://www.whitelisteddomain.tld@[::ffff:216.58.214.206]
http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http://0xd8.072.54990
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://0xd8.3856078
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.3856078
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http://00330.0x3a.54990
http://[email protected]
http://[email protected]
http://XY>.7d8T\[email protected]
http:0xd8.0x3a.0xd6.0xce
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0xd83ad6ce
http:www.whitelisteddomain.tld@0xd83ad6ce
http:3H6k7lIAiqjfNeN@0xd83ad6ce
http:XY>.7d8T\205pZM@0xd83ad6ce
http:3627734734
http:www.whitelisteddomain.tld@3627734734
http:3H6k7lIAiqjfNeN@3627734734
http:XY>.7d8T\205pZM@3627734734
http:472.314.470.462
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0330.072.0326.0316
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.00072.0000326.00000316
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:[::216.58.214.206]
http:www.whitelisteddomain.tld@[::216.58.214.206]
http:3H6k7lIAiqjfNeN@[::216.58.214.206]
http:XY>.7d8T\205pZM@[::216.58.214.206]
http:[::ffff:216.58.214.206]
http:www.whitelisteddomain.tld@[::ffff:216.58.214.206]
http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
http:0xd8.072.54990
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:0xd8.3856078
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.3856078
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
http:00330.0x3a.54990
http:[email protected]
http:[email protected]
http:XY>.7d8T\[email protected]
〱google.com
〵google.com
ゝgoogle.com
ーgoogle.com
ーgoogle.com
/〱google.com
/〵google.com
/ゝgoogle.com
/ーgoogle.com
/ーgoogle.com
%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
http://%67%6f%6f%67%6c%65%2e%63%6f%6d
<>javascript:alert(1);
<>//google.com
//google.com\@www.whitelisteddomain.tld
https://:@google.com\@www.whitelisteddomain.tld
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
ja\nva\tscript\r:alert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
http://google.com:80#@www.whitelisteddomain.tld/
http://google.com:[email protected]/
http://google.com\www.whitelisteddomain.tld
http://google.com&www.whitelisteddomain.tld
http:///////////google.com
\\google.com
http://www.whitelisteddomain.tld.google.com
Loading