Unvalidated Open Redirect at Bol.com

Jonathan Bouman
Jun 12, 2018 · 2 min read
Image for post
Image for post
Unvalidated Open Redirect, user action required

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background
In my previous blog post we found a client stored XSS bug at Amazon.com

Today we’re going to have a look at Unvalidated Redirect bugs.

If we find an open redirect we may use it to redirect users to our phishing website. People will see the legit website url, think everything is ok, click the link and are redirected to our fake login page. This is a serious issue according to the OWASP.

Bol.com is one of the biggest ecommerce websites in The Netherlands. So I thought it would be a good idea to look around their website for this flaw.

Attack vector
After a few hours of digging I ended up with the following link:
https://banen.bol.com/quiz/?reference_url=https://s3-eu-west-1.amazonaws.com/pentesting-target/blog2-bol.com.html&reference_type=Login%20en%20solliciteer%20direct

Image for post
Image for post

The reference_url from the url is used in the button as link. The reference_type is used as text in the button. If we change the parameters to an malicious url and change the text to ‘login & apply for the job’ we have the perfect combination for a phishing website; see the header image for the result

Bonus
Another open redirect is found on the affiliates subdomain, no user action is required. The malicious url will redirect immediately to our phishing website.

https://partnerprogramma.bol.com/click/click?p=1&s=13759&t=p&pid=9200000056577975&f=PDL&name=s&url=https://s3-eu-west-1.amazonaws.com/pentesting-target/blog2-bol.com.html

Image for post
Image for post
Unvalidated Open Redirect no user actions required

Solution
A possible solution is to whitelist Bol.com as the only domain to be allowed in redirects, or introduce some sort of a hashing system that checks if the url used is previously approved.

Timeline
09–06–2018 Found bugs, informed Bol.com
10–06–2018 Bugs confirmed by Bol.com
11–06–2018 Bugs fixed by Bol.com, rewarded 2x €50 giftcards
12–06–2018 Validated fix, blog published

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store