A Tricky Open Redirect

Hello Friends,
Today, I'm gonna share one of my coolest finding that how I found an Open-Redirect vulnerability on private site of Bugcrowd.
Open Redirect:
How I found Open Redirect vulnerability?
In my free time, I was looking for bugs and at the same time, I received an Invitation on Bugcrowd.
I visit the site and registered an account on that site.
So, I found this normal login endpoint ie
https://redacted.com/login?nextUrl=url
Next, I try some open redirect payloads on next parameter ie nextUrl=http://evil.com or nextUrl=//evil.com and others but nothing worked.
I randomly put evil.com after next paramter
ie
https://redacted.com/login?nextUrl=evil.com
and after login, the site redirects and the domain becomes
https://redacted.comevil.com
So a little trick quickly comes to my mind and I end up with the payload ie .evil.com(nextUrl=.evil.com) and @evil.com(nextUrl=@evil.com) does the magic.
ie
https://redacted.com/login?nextUrl=.evil.com
redirects to
https://redacted.com.evil.com (subdomain of evil.com)
(Worked in Firefox)
https://redacted.com/login?nextUrl=@evil.com
redirects to
https://redacted.com@evil.com >>evil.com
(Worked in Chrome)
I reported this bug via Bugcrowd and in 2 minutes my report was closed as Duplicate and I received an Email
[Submission is a duplicate of
(Open URL redirect on
https://redacted.com/login?nextUrl=http://www.evil.com)
Created a year ago]
I visit the above URL and the PoC is not working.
After that, I ask them to re-check this and after some time they re-open my report because someone previously reported the same bug and they resolved the issue which means that I found a bypass of the resolved report.

They rewarded me a $200 bounty.

I found open redirect many times with the above technique.
Hope you like this sharing.
Thanks
Comments
Post a Comment