Open Redirect in SLACK

Abay
Abay
Feb 16, 2019 · 1 min read

Slack software is cloud-based collaboration software. Originally founded in 2009 as a chat tool for a now-defunct gaming technology, Slack has gained currency among enterprises and is broadening into a collaboration platform with capabilities beyond just messaging.


I discovered an Open Redirect Vulnerability on slack-redir.net. Another low risk bug that i found xD

Step to Reproduce

  1. Go to https://slack-redir.net/link?url=https://abaykan.com/
  2. This will redirect you automatically.

Request

GET /link?url=https://abaykan.com/ HTTP/1.1
Host: slack-redir.net
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ht;q=0.8,id;q=0.7,so;q=0.6,es;q=0.5

Response

HTTP/1.1 302 Found
Date: Fri, 15 Feb 2019 17:36:15 GMT
Server: Apache
Vary: Accept-Encoding
location: https://abaykan.com/
Content-Length: 0
Connection: close
Content-Type: text/html
X-Via: haproxy-www-ok5p

Unfortunately I got an error while trying to inject XSS.

Suggested Fix

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md

Impact

The attacker can redirect the victim to the malicious site using legit slack-redir.net domain name, which can be the copy of the real site, asking for the user credentials.

But because of special conditions (security policy) from SLACK, this report is considered invalid (Not Applicable).

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store