Listen to this Post
Introduction
Cross-Site Scripting (XSS) remains a critical web vulnerability, but validating payloads in redirect responses can be challenging. When a payload is reflected in a redirect page, the browser may not execute it due to the HTTP 3xx status code. This article explores how to use Caido’s Match and Replace (M&R) rule to bypass this limitation and confirm XSS exploitation.
Learning Objectives
- Understand why XSS payloads fail in redirect responses.
- Learn how to configure Caido to modify HTTP status codes for validation.
- Apply this technique in real-world bug bounty hunting scenarios.
1. Bypassing Redirects with Caido Match and Replace
Command/Configuration:
Caido M&R Rule to Replace 302 with 200 match: response: status_code: 302 replace: response: status_code: 200
Step-by-Step Guide:
- Open Caido and navigate to the Match and Replace rules section.
- Add a new rule targeting responses with a `302` (or
301,307) status code. - Replace the status code with `200 OK` to force the browser to render the response.
- Resend the XSS payload—the alert should now execute.
2. Validating XSS Payloads with Manual Testing
Command (Browser Console):
fetch('/redirect-endpoint', {
redirect: 'manual'
}).then(res => res.text()).then(html => document.write(html));
Steps:
- Use the browser’s developer console to send a request with
redirect: 'manual'. - Extract the response body and inject it into the DOM.
- Check for payload execution without following the redirect.
3. Automating with Python Requests
Code Snippet:
import requests
response = requests.get('https://vulnerable.site/redirect', allow_redirects=False)
if '<script>alert(1)' in response.text:
print("XSS Confirmed!")
Steps:
1. Disable redirects using `allow_redirects=False`.
2. Analyze the response body for reflected payloads.
4. Burp Suite Interception
Tool Configuration:
- In Burp Suite, go to Proxy > Options and enable Intercept Server Responses.
- Drop the redirect response and manually inspect the body for XSS.
5. Browser Extensions for Debugging
Tool: “Redirector” (Chrome/Firefox Extension)
Steps:
- Configure the extension to block redirects from the target domain.
- Reload the page to view the raw response.
What Undercode Say
- Key Takeaway 1: Redirect-based XSS is often overlooked but can be critical in bug bounty programs.
- Key Takeaway 2: Tools like Caido and Burp Suite simplify validation by manipulating HTTP flow.
Analysis:
While traditional XSS testing focuses on direct reflection, advanced techniques like status code manipulation reveal hidden vulnerabilities. This approach is particularly useful for single-page applications (SPAs) and OAuth flows, where redirects are common. As browsers tighten default security policies, ethical hackers must adapt with tool-assisted testing.
Prediction
Future web frameworks may enforce stricter validation on redirect responses, but attackers will pivot to DOM-based XSS or server-side prototype pollution to achieve similar results. Proactive testing will remain essential.
Further Resources:
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
