How I Bypassed open redirect and i have get reward from yandex

Hello evryone ☺

i will share with you about bug “ open redirect “ This vulnerability is known to everyone, but what I wanted to show you how i bypassed open-redirect

so firstly , I think some researchers know ways to overcome them, but I don’t think that all researchers know such methods, so I wanted to write it and share it maybe i can help someone .

There is an Open Redirect on https://money.yandex.ru/search?text= due to the application not checking the value passed by the user to the “site” parameter.

Anyone when he want to test vuln “ open redirec “ he do this https://money.yandex.ru/search?text=evil.com but this did not work waht can do ?

i am test with https://money.yandex.ru/search?text=https://evil.com/ but its worked by this paylads : ///www.x.com@evil.com → :https://money.yandex.ru/search?text=///www.x.com@evil.com

after that the page redirected to http://www.evil.com i report this to yandex and i get rewards 100$

PoC Videu Here

and hall of fame on 06/2020

thanks for reading my report :)

Bug Bounty Hunter