Reflective XSS and Open Redirect on Indeed.com subdomain
Hi Again! So here is one more writeup on a simple bug I found on Indeed.com subdomain.
As always I looked up for subdomains using Sublist3r tool.
While I was browsing through offfers.indeed.com subdomain ,I noticed a functionality where a user could choose some filters from dropdown and create a PDF report of the data which was generated.
I quickly selected some values and generated the report.When I Opened the Report ,I noticed that the URL had an extra parameter Target which had the file location for the PDF file.
On seeing Target parameter in URL, my instant thought was to test for Open redirect .So I entered Target parameter value as https://www.google.com and I noticed it was actually taking user to Google.com
Vulnerable URL :http://offers.indeed.com/directcontent.html?target=http://www.google.com
I reported this issue to Indeed Via Bugcrowd and the bug was resolved within a week.As part of fix, they completely removed this functionality from the site.
For any question,You can get in touch with me @syntaxerror
Untill next time