Robust and blazing fast open-redirect vulnerability scanner with ability of recursevely crawling all of web-forms, entry points, or links with data.

Related tags

Third-party APIs Wrappersfuzz300
Overview

After Golismero project got dead there is no more any up to date open-source tool that can collect links with parametrs and web-forms and then test them, so i decided to write one by my own. At the first step this tool does collect all the entry-points for the target website and then tryes to find open redirect vulnerability.

Why this project is better than other open-redirect scanners? It does recursevely crawl all the links from the target website and finds potential vulnerable web-forms by itself instead of using CommonCrawl or getting links list from user input. In the future i will probably add more modules to fuzz for SQL Injections and XSS.

Instalation

~$ git clone https://github.com/d34db33f-1007/fuzz300.git
~$ pip3 install -r requirements.txt

Usage

~$ python3.8 fuzz300.py -u https://example.com
~$ python3.8 fuzz300.py -u https://www.example.com -c 'Cookie: user=admin'

After running you will also find newly created files with interesting links and all website entry-points.

Tips

• Try using the same parameter twice: ?next=whitelisted.com&next=google.com
• If periods filtered, use an IPv4 address in decimal notation http://www.geektools.com/geektools-cgi/ipconv.cgi
• Try a double-URL and triple-URL encoded version of payloads
• Try redirecting to an IP address (instead of a domain) using different notations: IPv6, IPv4 in decimal, hex or octal
• For XSS, try replacing alert(1) with prompt(1) & confirm(1)
• If extension checked, try ?image_url={payload}/.jpg
• Try target.com/?redirect_url=.uk (or [any_param]=.uk). If it redirects to target.com.uk, then it’s vulnerable! target.com.uk and target.com are different domains.
• Use /U+e280 RIGHT-TO-LEFT OVERRIDE: https://whitelisted.com@%E2%80%[email protected]
------ The unicode character U+202E changes all subsequent text to be right-to-left
------ E.g.: https://hackerone.com/reports/299403

Exploitation

• Phishing
• Chaining open redirect with
-- • SSRF
-- • OAuth token disclosure
-- • XSS
-- • CRLF injection

Open redirect writeups

Hackerone report 158434: Open Redirect & XSS on Shopify, $1,000
Hackerone report 101962: Open Redirect on Shopify, $500
Hackerone report 55546: Open Redirect on Shopify, $500
Hackerone report 55525: Open Redirect on Shopify, $500
Hackerone report 169759: Open Redirect on Shopify, $500
Hackerone report 160047: Open Redirect on Shopify, $500
Hackerone report 103772: Open Redirect on Shopify, $500
Hackerone report 159522: Open Redirect on Shopify, $500

You might also like...
Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

Code X Botz 1.2k Jan 8, 2023
File-sharing-Bot: Telegram Bot to store Posts and Documents and it can Access by Special Links.

File-sharing-Bot Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 .

null 1 Dec 17, 2021
Telegram Bot to store Posts and Documents and it can Access by Special Links.
Telegram Bot to store Posts and Documents and it can Access by Special Links.

Telegram Bot to store Posts and Documents and it can Access by Special Links. I Guess This Will Be Usefull For Many People..... 😇 . Features Fully cu

REX BOTZ 1 Dec 23, 2021
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.
Telegram Group Calls Streaming bot with some useful features, written in Python with Pyrogram and Py-Tgcalls. Supporting platforms like Youtube, Spotify, Resso, AppleMusic, Soundcloud and M3u8 Links.

Yukki Music Bot Yukki Music Bot is a Powerful Telegram Music+Video Bot written in Python using Pyrogram and Py-Tgcalls by which you can stream songs,

Team Yukki 996 Dec 28, 2022
CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

CVE-2021-39685 Description and sample exploit for Linux USB Gadget overflow vulnerability

null 8 May 25, 2022
just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam these websides with fake logins

scam-webside-spammer just a program i made cuz a friend got tokenlogged and spammed me with these scam/phishing links so i made a programm to spam the

TerrificTable 3 Sep 23, 2022
Robot to convert files to direct links, hosting files on Telegram servers, unlimited and without restrictions

stream-cloud demo : downloader_star_bot Run : Docker : install docker , docker-compose set Environment or edit Config/init.py docker-compose up Heroku

null 53 Dec 21, 2022
A Discord bot to combat phishing links for Steam trades and Discord gifts.

delink-bot A Discord bot to combat phishing links for Steam trades and Discord gifts. Requirement python3 -m pip install -U discord.py python3 -m pip

hugonun 15 Dec 9, 2022
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links
API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

API which uses discord+mojang api to scrape NameMC searches/droptime/dropping status of minecraft names, and texture links

null 2 Dec 22, 2021
Releases(v1.0.0)
Owner
railway zeppelin
all paths lead to clouds | https://t.me/ju_oj
railway zeppelin
GitHub Repository
The Best Telegram UserBot Made With Pyrogram [Python]

Asterix UserBot A Powerful Telegram userbot based on Pyrogram. How To Deploy Asterix Heroku Railway Qovery Termux Tutorial Railway Deploy Comming Soon

TeamAsterix 9 Oct 17, 2022
Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

1 Dec 29, 2021
Python Dialogflow CX Scripting API (SCRAPI)

Python Dialogflow CX Scripting API (SCRAPI) A high level scripting API for bot builders, developers, and maintainers. Table of Contents Introduction W

Google Cloud Platform 39 Dec 09, 2022
The fastest nuker on discord, Proxy support and more

About okuru nuker is a nuker for discord written in python, It uses methods such as threading and requests to ban faster and perform at higher speeds.

63 Dec 31, 2022
un outil pour bypasser les code d'états HTTP négatif coté client ( 4xx )

4xxBypasser un outil pour bypasser les code d'états HTTP négatif coté client ( 4xx ) Liscence : MIT license Creator Installation : git clone https://g

21 Dec 25, 2022
CLI tool that checks who does and who does not follow you back on Instagram

CLI tool that checks who does and who does not follow you back on Instagram. It also checks who you don't follow back on Instagram.

Ayushman Roy 3 Dec 02, 2022
It is a temporary project to study discord interactions. You can set permissions conveniently when you invite a particular disk code bot.

Permission Bot 디스코드 내에 있는 message-components 를 연구하기 위하여 제작된 봇입니다. Setup /config/config_example.ini 파일을 /config/config.ini으로 변환합니다. config 파일의 기본 양식은 아

gunyu1019 4 Mar 07, 2022
Customizable and open-sourced bot for a few private servers

MarlBot A private bot for controlling monkeys and turtles. Why does this bot exist? The bot exists as a general-purpose community bot for a select few

KR 1 Jan 18, 2022
A Powerful telegram giveawayz bot based on the python-telegram-bot API

GiveawayZ Bot A Powerful telegram giveawayz bot based on the python-telegram-bot API. Powered by Team Zyntax and Team DFX Developed by @Zycho-Dev A pr

Zycho #AFK 5 Jul 31, 2022
Most Advance Trading Bot Support Windows Linux Mac

GUI Pancakeswap 2 and Uniswap 3 SNIPER BOT 🏆 🥇 (MOST ADVANCE TRADING BOT SUPPORT WINDOWS LINUX MAC) (AUTO BUY TOKEN ON LAUNCH AFTER ADD LIQUIDITY) S

1 Dec 26, 2021
Debugging with Stack Overflow: Web Search Behavior in Novice and Expert Programmers

Debugging with Stack Overflow: ICSE SEET, 2022 This is the GitHub repository associated with the 2022 ICSE SEET paper, Debugging with Stack Overflow:

Madeline Endres 1 Jan 31, 2022
A discord bot with information and template tracking for pxls.space.

pyCharity A discord bot with information and template tracking for pxls.space. Inspired by Mikarific's Charity bot. Try out the beta version on your s

1 Dec 03, 2021
Powerful and Advance Telegram Bot with soo many features😋🔥❤

Chat-Bot Reach this bot on Telegram Chat Bot New Features 🔥 ✨ Improved Chat Experience ✨ Removed Some Unnecessary Commands ✨ Added Facility to downlo

Sanila Ranatunga 10 Oct 21, 2022
A telegram media to gofile bot

GoFile-Bot A telegram media to gofile bot Made with Python3 (C) @FayasNoushad Copyright permission under MIT License License - https://github.com/Fay

Fayas Noushad 37 Nov 14, 2022
It's a discord.py simulator.

DiscordPySimulator It's a discord.py simulator. ⚠️ Things to fix Context As you may know, discord py commands provide the context as the first paramet

Juan Sebastián 11 Oct 24, 2022
Public Mirror of Team 15's Code and Reports for RBE 3002 B21

RBE3002 Team 15 Lab Repository Team 15's Repository for all code written for RBE 3002 using the Robotis TurtleBot3 Written By Matthew Haahr, Leo Morri

Matthew Haahr 3 Mar 21, 2022
Program that uses Python to monitor grade updates in the Genesis Platform

Genesis-Grade-Monitor Program that uses Python to monitor grade updates in the Genesis Platform Guide: Install by either cloning the repo or downloadi

Steven Gatanas 1 Feb 12, 2022
An unofficial python wrapper for the comdirect API for private consumers.

An unofficial python wrapper for the comdirect API for private consumers.

Alexander Knittel 18 Nov 30, 2022
Tubee is a web application, which runs actions when your subscribed channel upload new videos

Tubee is a web application, which runs actions when your subscribed channel upload new videos, think of it as a better IFTTT but built specifically for YouTube with many enhancements.

Tomy Hsieh 11 Jan 01, 2023
Holly ♥️ is usefull group management bot in telegram 🎋

Holly ♥️ is usefull group management bot in telegram 🎋

Kasun bandara 1 Dec 03, 2021