Dom-based open redirects can be underestimated on pentests/bug bounty programs. However, depending on the application’s context, this kind of security vulnerability can lead to critical impacts as some information can leak through the referrer header.
On a private program on Hackerone i noticed that when logging out of your session, you reached
/logout/landing.html?originalUrl=/logina log out page with only a “Click here” <a> tag. When analyzing the DOM of the page i saw that the following JS event listener was attached to the ”Click here” button :
The redirection was JS based to the login flow and lead us to a OAuth API that signed the pathname provided on the originalUrl parameter and concatenated it with window.location.host’s value. So, inserting
hello in the originalurl parameter will then lead to the following redirection when the “Click here” button is clicked :
On modern browsers ( FF, Chrome, etc ), firstname.lastname@example.org will lead to anotherdomain.com
So i tried to inject the originalurl parameter with @burpcollaborator.net and when the click here button was clicked i directly reached my collaborator.
At this point i have a DOM-based open redirect. Though, as the Oauth API was operating the redirection and the response type was set to code, the authentication JWT token was leaking through the referrer header of the request made to my server.
A potential attacker could then use the JWT token to log into the victim’s account, this leading to a account takeover.