Hello Hunters, Hope you all are hunting well ! If you are learning from my write-ups and like my post please follow me on social media.
This issue I found because of little of my luck. 2-4 months ago I was searching a perfect program for me in HackerOne and suddenly I got a notification from a private program that a new scope has been added. Immediately I went to that program page and read all details.
When I get this type of new target I always use wayback machine to fetch public endpoints. As always found a login endpoint: https://target.com/login/redirect?r=https%3A%2F%2Fwww.target.com%2Fdashboard%2F , And guess what? Open Redirect was in scope issue.
But wait…! I tried to change the r parameter with an external domain like: evil.com, //evil.com, @evil.com, https://evil.com, %2F%2Fevil.com, etc. But nothing happened ! It simply redirecting to the main domain.
I noticed another thing, If I use a sub-domain of the target domain in r parameter like: https://target.com/login/redirect?r=https%3A%2F%2Fevil.target.com , It redirecting me to evil.target.com.
So I used this payload: https://target.com/login/redirect?r=https%3A%2F%2Feviltarget.com . And it’s redirecting me to eviltarget.com. Bypassed !
Basically application was checking that if r parameter has the keyword: target.com or not. If yes then redirect accept and if not then stay in the current domain.
Thanks for reading this post. Stay happy and be safe !..