Script http-open-redirect

Script types: portrule
Categories: discovery, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-open-redirect.nse

Script Summary

Spiders a website and attempts to identify open redirects. Open redirects are handlers which commonly take a URL as a parameter and responds with a HTTP redirect (3XX) to the target. Risks of open redirects are described at http://cwe.mitre.org/data/definitions/601.html.

Only open redirects that are directly linked on the target website can be discovered this way. If an open redirector is not linked, it will not be discovered.

Script Arguments

http-open-redirect.maxdepth

the maximum amount of directories beneath the initial url to spider. A negative value disables the limit. (default: 3)

http-open-redirect.maxpagecount

the maximum amount of pages to visit. A negative value disables the limit (default: 20)

http-open-redirect.url

the url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)

http-open-redirect.withindomain

only spider URLs within the same domain. This widens the scope from withinhost and can not be used in combination. (default: false)

http-open-redirect.withinhost

only spider URLs within the same host. (default: true)

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap --script=http-open-redirect <target>

Script Output 

PORT   STATE SERVICE REASON
443/tcp open  https   syn-ack
| http-open-redirect:
|_  https://foobar.target.se:443/redirect.php?url=http%3A%2f%2fscanme.nmap.org%2f

Requires

Author:

  • Martin Holst Swende

License: Same as Nmap--See https://nmap.org/book/man-legal.html