A Tricky Open Redirect


Hello Friends,

Today, I'm gonna share one of my coolest finding that how I found an Open-Redirect vulnerability on private site of Bugcrowd.

Open Redirect:

Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs.Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input.

How I found Open Redirect vulnerability?

In my free time, I was looking for bugs and at the same time, I received an Invitation on Bugcrowd. 

I visit the site and registered an account on that site.

I can't disclose the website name, so let’s assume https://redacted.com

So, I found this normal login endpoint ie 


Next, I try some open redirect payloads on next parameter ie nextUrl=http://evil.com or nextUrl=//evil.com and others but nothing worked. 
I randomly put evil.com after next paramter
and after login, the site redirects and the domain becomes


So a little trick quickly comes to my mind and I end up with the payload ie .evil.com(nextUrl=.evil.com) and @evil.com(nextUrl=@evil.com) does the magic.

 redirects to
https://redacted.com.evil.com (subdomain of evil.com)

(Worked in Firefox)

 redirects to
https://redacted.com@evil.com >>evil.com

(Worked in Chrome)

I reported this bug via Bugcrowd and in 2 minutes my report was closed as Duplicate and I received an Email
[Submission is a duplicate of 
(Open URL redirect on
Created a year ago]
I visit the above URL and the PoC is not working.
After that, I ask them to re-check this and after some time they re-open my report because someone previously reported the same bug and they resolved the issue which means that I found a bypass of the resolved report.

They rewarded me a $200 bounty.

I found open redirect many times with the above technique.

Hope you like this sharing.



Popular posts from this blog

XSS like a Pro

Email Spoofing for Beginners

DoS on WAF Protected Sites by Abusing Cookie