Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Bypass Open Redirect Protection

Bypass Open Redirect Protection

Hello Hunters, Hope you all are hunting well ! If you are learning from my write-ups and like my post please follow me on social media.

This issue I found because of little of my luck. 2-4 months ago I was searching a perfect program for me in HackerOne and suddenly I got a notification from a private program that a new scope has been added. Immediately I went to that program page and read all details.

When I get this type of new target I always use wayback machine to fetch public endpoints. As always found a login endpoint: https://target.com/login/redirect?r=https%3A%2F%2Fwww.target.com%2Fdashboard%2F , And guess what? Open Redirect was in scope issue.

But wait…! I tried to change the r parameter with an external domain like: evil.com, //evil.com, @evil.com, https://evil.com, %2F%2Fevil.com, etc. But nothing happened ! It simply redirecting to the main domain.

I noticed another thing, If I use a sub-domain of the target domain in r parameter like: https://target.com/login/redirect?r=https%3A%2F%2Fevil.target.com , It redirecting me to evil.target.com.

So I used this payload: https://target.com/login/redirect?r=https%3A%2F%2Feviltarget.com . And it’s redirecting me to eviltarget.com. Bypassed !

Basically application was checking that if r parameter has the keyword: target.com or not. If yes then redirect accept and if not then stay in the current domain.

Thanks for reading this post. Stay happy and be safe !..

Leave a Reply

Your email address will not be published. Required fields are marked *

TopBack to Top