DOM based open redirect to the leak of a JWT token

Dom-based open redirects can be underestimated on pentests/bug bounty programs. However, depending on the application’s context, this kind of security vulnerability can lead to critical impacts as some information can leak through the referrer header.

On a private program on Hackerone i noticed that when logging out of your session, you reached /logout/landing.html?originalUrl=/logina log out page with only a “Click here” <a> tag. When analyzing the DOM of the page i saw that the following JS event listener was attached to the ”Click here” button :

The redirection was JS based to the login flow and lead us to a OAuth API that signed the pathname provided on the originalUrl parameter and concatenated it with window.location.host’s value. So, inserting hello in the originalurl parameter will then lead to the following redirection when the “Click here” button is clicked :

https://redacted.comhello/?logincallback=true

On modern browsers ( FF, Chrome, etc ), domain.com@anotherdomain.com will lead to anotherdomain.com

So i tried to inject the originalurl parameter with @burpcollaborator.net and when the click here button was clicked i directly reached my collaborator.

At this point i have a DOM-based open redirect. Though, as the Oauth API was operating the redirection and the response type was set to code, the authentication JWT token was leaking through the referrer header of the request made to my server.

A potential attacker could then use the JWT token to log into the victim’s account, this leading to a account takeover.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store