Open Redirect Scanner with Uber.com

Searching for dummies redirect :)

WTF is an open redirect scanner?

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Reference: https://www.owasp.org/index.php/Open_redirect

The scanner:

During a research to uber i needed a tool who scan the trace of the requests for viewing the jumps to final url destination and see if a list of uber domains can force to redirect to other external site. With a few line of codes python was the best solution for this. Why is dangerous an open redirect? because an attacker can send an url and force to redirect the user to a malicious site, execute evil scripts or phishing sensitive data.

Here is an example video with the open redirect scanner tool:

The scanner find an open redirect of uber subdomains and show how is forced to load www.yahoo.com site:

The issue was reported but Uber decides not fixed beacuse not considered a risk for its users

How is works?

The scanner shows a 303 error code (see others) when the domain is vuln

The attacks:

For example this domain in uber is vuln to open redirect -> https://trip.uber.com/

we can send to a user this evil url with a payload -> https://trip.uber.com//yahoo.com/%2F.. and the user is redirected to the yahoo.com site .. we can ofuscate the url for cheat the user with any encode available

The code:

Here is the python code i write to follow the requests to a final destination and see if the open redirect works. Basically the scanner load a list of subdomains an add a payload to the final url seeing where he goes

Enjoy and Happy Hacking! :)

Regards,

Ak1T4