Story of bypassing Referer Header to make open redirect
today i will write about bypass Referer Header to make open redirect
i was testing private program and i was working on one of this program subdomains let’s say subdomain.domain.com
i run dirbuster to see if there is any interesting endpoint and i found some endpoints and let’s say it /endpoint after that i found that subdomain can redirect us to the main domain through this endpoint /endpoint/clkn/http/maindomain.com/
i tried to change the main domain to any other domain it was work but unfortunately was Referer Header protection to prevent this , i searched on google but i did not find anything after that i asked people on slack but no idea so i said to my self let’s try harder
i said to my self let’s try to put the Referer as the link that we will redirect to , i made this and deleted the Referer Header and WOW! It worked without Referer Header
now let’s try the url unfortunately if i changed anything on the link i got message We’re sorry, but the link you followed appears to be invalid.
after some tries i looked to this tweet https://twitter.com/EdOverflow/status/931862992643411975
and i put only one character so it was like this /endpoint/clkn/http/t-Ô-subdomain.domain.com/
and in response i got redirect to Location: http://t-?subdomain.domain.com/
woho we are in T Host now !
try harder .. you will get what you want