Sourav Sahana

@pocdork

Sourav Sahana Uncategorized From POST to GET Open redirect

From POST to GET Open redirect

Hey ! I’m Sourav Sahana from India. This is the write-up for my first bug bounty so I am really sorry if I have made something wrong. This was a unique bug for me because I’ve been rewarded three times for this bug. Hope you will enjoy this blog.

Summery

After so many duplicates and not applicable I found a program on Bugcrowd. As usual, like other beginner hunters I’m also looking for open redirect, subdomain takeover, server side injection, xss but I failed and got demotivated and left the program. the next day again I started to take a last try. This time I was testing the cookie invalidation issue. Again failed..

Discovery

There is no cookie invalidation issue. But I got this endpoint in the search bar :https://manage.statuspage.io/login?redirect=%2fpages/ . I immediately change the redirect parameter and BAAM.. It redirects to evil.com. But the problem is it only redirects if I’m already signed in.If not signed in, the application was asking to login and then I was redirecting to evil.com. I thought it’s a valid issue and reported it. After two days my report was changed from P4 to P5 because it is post based. I was like:

I have to dig further. then I discover this endpoint: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fevil.com/ and also told them that if user already signed in then he will simply redirect to evil.com. Next day he changed the report from P5 to P4. And It’s a valid bug. I got my first valid bug and bounty. My first bounty $100 and it’s huge for me.

Wait! wait! wait! not finished yet. After one month hey replay me that this issue has been fixed. But I told then that I can still redirect using this url: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fbugcrowd.com/ . Then replayed me:- “Thank you for your reply. https://manage.statuspage.io/logout would be considered a different endpoint, so I would encourage you to submit that as a separate report so we can track it separately.”. again I submitted a report and this time I got $50. After one month they flag my report as Resolved. But this time also my luck was with me.. The bug was not fixed but they marked this as resolved and gave me 2 weeks if I can still reproduce this bug. I replayed yes! I can. No replay from his side.

I was waiting for the correct time. After 2 weeks again I reported this bug. And this time it was P3, I don’t know why. Whatever ! I got $300. Total bounty earned : $450

Thank you and happy hunting

Leave a Reply

Your email address will not be published.

TopBack to Top