Open Redirect in SLACK

Slack software is cloud-based collaboration software. Originally founded in 2009 as a chat tool for a now-defunct gaming technology, Slack has gained currency among enterprises and is broadening into a collaboration platform with capabilities beyond just messaging.


I discovered an Open Redirect Vulnerability on slack-redir.net. Another low risk bug that i found xD

Step to Reproduce

  1. Go to https://slack-redir.net/link?url=https://abaykan.com/
  2. This will redirect you automatically.

Request

GET /link?url=https://abaykan.com/ HTTP/1.1
Host: slack-redir.net
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ht;q=0.8,id;q=0.7,so;q=0.6,es;q=0.5

Response

HTTP/1.1 302 Found
Date: Fri, 15 Feb 2019 17:36:15 GMT
Server: Apache
Vary: Accept-Encoding
location: https://abaykan.com/
Content-Length: 0
Connection: close
Content-Type: text/html
X-Via: haproxy-www-ok5p

Unfortunately I got an error while trying to inject XSS.

Suggested Fix

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md

Impact

The attacker can redirect the victim to the malicious site using legit slack-redir.net domain name, which can be the copy of the real site, asking for the user credentials.

But because of special conditions (security policy) from SLACK, this report is considered invalid (Not Applicable).