A Tricky Open Redirect

 

Hello Friends,

Today, I'm gonna share one of my coolest finding that how I found an Open-Redirect vulnerability on private site of Bugcrowd.


Open Redirect:

Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs.Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input.


How I found Open Redirect vulnerability?

In my free time, I was looking for bugs and at the same time, I received an Invitation on Bugcrowd. 

I visit the site and registered an account on that site.

I can't disclose the website name, so let’s assume https://redacted.com

So, I found this normal login endpoint ie 

https://redacted.com/login?nextUrl=url

Next, I try some open redirect payloads on next parameter ie nextUrl=http://evil.com or nextUrl=//evil.com and others but nothing worked. 
I randomly put evil.com after next paramter
ie
https://redacted.com/login?nextUrl=evil.com
and after login, the site redirects and the domain becomes

https://redacted.comevil.com

So a little trick quickly comes to my mind and I end up with the payload ie .evil.com(nextUrl=.evil.com) and @evil.com(nextUrl[email protected]) does the magic.
ie

https://redacted.com/login?nextUrl=.evil.com
 redirects to
https://redacted.com.evil.com (subdomain of evil.com)

(Worked in Firefox)


https://redacted.com/login?nextUrl[email protected] 
 redirects to
https://[email protected] >>evil.com

(Worked in Chrome)

I reported this bug via Bugcrowd and in 2 minutes my report was closed as Duplicate and I received an Email
[Submission is a duplicate of 
(Open URL redirect on
https://redacted.com/login?nextUrl=http://www.evil.com)
Created a year ago]
I visit the above URL and the PoC is not working.
After that, I ask them to re-check this and after some time they re-open my report because someone previously reported the same bug and they resolved the issue which means that I found a bypass of the resolved report.




They rewarded me a $200 bounty.





I found open redirect many times with the above technique.


Hope you like this sharing.

Thanks

Comments

Popular posts from this blog

DoS on WAF Protected Sites by Abusing Cookie

Email Spoofing for Beginners