Story of bypassing Referer Header to make open redirect

Hi all,

today i will write about bypass Referer Header to make open redirect

i was testing private program and i was working on one of this program subdomains let’s say subdomain.domain.com

i run dirbuster to see if there is any interesting endpoint and i found some endpoints and let’s say it /endpoint after that i found that subdomain can redirect us to the main domain through this endpoint /endpoint/clkn/http/maindomain.com/

i tried to change the main domain to any other domain it was work but unfortunately was Referer Header protection to prevent this , i searched on google but i did not find anything after that i asked people on slack but no idea so i said to my self let’s try harder

i said to my self let’s try to put the Referer as the link that we will redirect to , i made this and deleted the Referer Header and WOW! It worked without Referer Header

now let’s try the url unfortunately if i changed anything on the link i got message We’re sorry, but the link you followed appears to be invalid.

after some tries i looked to this tweet https://twitter.com/EdOverflow/status/931862992643411975

and i put only one character so it was like this /endpoint/clkn/http/t-Ô-subdomain.domain.com/

and in response i got redirect to Location: http://t-?subdomain.domain.com/

woho we are in T Host now !

try harder .. you will get what you want

Thanks