A Tricky Open Redirect

 

Hello Friends,

Today, I'm gonna share one of my coolest finding that how I found an Open-Redirect vulnerability on private site of Bugcrowd.


Open Redirect:

Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs.Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input.


How I found Open Redirect vulnerability?

In my free time, I was looking for bugs and at the same time, I received an Invitation on Bugcrowd. 

I visit the site and registered an account on that site.

I can't disclose the website name, so let’s assume https://redacted.com

So, I found this normal login endpoint ie 

https://redacted.com/login?nextUrl=url

Next, I try some open redirect payloads on next parameter ie nextUrl=http://evil.com or nextUrl=//evil.com and others but nothing worked. 
I randomly put evil.com after next paramter
ie
https://redacted.com/login?nextUrl=evil.com
and after login, the site redirects and the domain becomes

https://redacted.comevil.com

So a little trick quickly comes to my mind and I end up with the payload ie .evil.com(nextUrl=.evil.com) and @evil.com(nextUrl[email protected]) does the magic.
ie

https://redacted.com/login?nextUrl=.evil.com
 redirects to
https://redacted.com.evil.com (subdomain of evil.com)

(Worked in Firefox)


https://redacted.com/login?nextUrl[email protected] 
 redirects to
https://[email protected] >>evil.com

(Worked in Chrome)

I reported this bug via Bugcrowd and in 2 minutes my report was closed as Duplicate and I received an Email
[Submission is a duplicate of 
(Open URL redirect on
https://redacted.com/login?nextUrl=http://www.evil.com)
Created a year ago]
I visit the above URL and the PoC is not working.
After that, I ask them to re-check this and after some time they re-open my report because someone previously reported the same bug and they resolved the issue which means that I found a bypass of the resolved report.




They rewarded me a $200 bounty.





I found open redirect many times with the above technique.


Hope you like this sharing.

Thanks

Comments

Popular posts from this blog

XSS in Zoho Mail

Email Spoofing for Beginners