How I Bypassed Open Redirection Tokens Using HTTP Parameter Pollution.

Greetings everyone,

While testing the very front page of Kraken.com ( Kraken is a US based prominent bitcoin exchange operating in Canada, the EU, Japan, and the US, and “the world’s largest bitcoin exchange in euro volume and liquidity”.) I found that , there were some External Sites Connected to Kraken.com. Below is the Image Which shows the External Sites.

So When I clicked on a site, it took me to another link that looked like…

https://www.kraken.com/redirect?url=http%3A%2F%2Fwww.cnbc.com%2F2014%2F11%2F26%2Fsearch-for-missing-mt-gox-bitcoins-gathers-pace.html

And After a while it was Redirected to that site.

Now you and every other hacker will think of Open Redirection. So do I. 
I changed the above URL to:

https://www.kraken.com/redirect?url=https://www.google.com

But the Response was:

It didn’t get Redirected. Hmm, But I didn’t giveup there.
I Noticed that the External site Was Redirected and when I changed the URL to Google it didn’t work.

My Reaction Was Like.

I was wondering that How is it possible that the External site was redirected and mine wasn’t. So I started Digging Deeper.

Then, I captured the page Using Burp suite, thinking that Maybe I could Get something interesting.

The results were:

After forwarding this request I got another request which had a Token.

GET /initjs?p=redirect&t=At382Krpl-nw HTTP/1.1

Notice the “t=At382Krpl-nw” after redirect.This thing took my Attention. I Got a clue that this could be the token for a site. Finally I understood that the site was using a token (For Protection).

I re-used the earlier link but this time I added a Token at the end of it.

https://www.kraken.com/redirect?url=http%3A%2F%2Fwww.cnbc.com%2F2014%2F11%2F26%2Fsearch-for-missing-mt-gox-bitcoins-gathers-pace.html&t=At382Krpl-nw

And Boom it got Redirected. I was happy for that. I thought Now it would also be redirected to any other site. So I changed the Above URL to:

https://www.kraken.com/redirect?url=https://google.com&t=At382Krpl-nw

But it Gave me an Error:

But this time the error was different than before.

So I captured the page again and added another token at the end of the link.

https://www.kraken.com/redirect?url=https://google.com&t=another-token

And Boom!! The site was Redirected.

But when I copied the above link and pasted it again in a new tab, it gave me the 404 error.

Then My Reaction was Like.

I said, “What the Heck”.

So I captured the page again to see that whats the Reason. Finally I got that the Token Gets Expired once its used.
Ohhh, so that was the reason.

Suddenly HPP (HTTP Parameter Pollution) came into my mind. If you Guys don’t know Much about HPP then Go and Goolge it Lolzz :p

After that I captured the Page twice and I didn’t let the tokens to be expired.
I Copied two tokens this time and added them to the URL.

So the URL Became.

https://www.kraken.com/redirect?url=https://google.com&t=first-token&t=second-token

Yahooo!

I was able to bypass the Protection. I redirected it again and again in different browsers to see the result. It was getting redirected each time.

Kindly see the POC to understand it better.

I have shared this Writeup just for Knowledge.

Special Thanks to AhsanKhan for Helping me Every time.

Best regards,

Anees Khan