1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page

One of good things in bug hunter community is knowledge sharing. Many great minds of hacking share their findings/discoveries all the time.

Reading all of that write-up articles give me ideas in my time of hunting and sometimes, resulting in bounty rewards. So, I decided to start writing about my own findings and share them to the community in the hope of inspiring other fellow hackers.

Let’s start with the simple one, Open Redirect.

Note: when you are out there hunting for Open Redirect, check in their policy first that they accept this type of vulns. Most of the programs only accept Open Redirect only if it leads to something such as access token stealing.

This is a bug I discovered on a private program web application so let’s call it redacted.com

They use Vue.js for the front-end which is a very popular choice for a web application in 2020

The problem with using JavaScript framework is that it exposes the source files to the public, so you need to be cautious of what you process or compute in the front-end side

I was investigating on their login page and I observed that there was this GET parameter named **next** used to determine where to send user after successful login.

This is the common site to test for so-called vulnerability Open Redirect

I tried some common payloads I knew at the time and failed so I decided to dig into their code, found validation function eventually.

Here is the code of that function.

Let’s focus on the validation of next parameter, this line:

if (config.RedirectWhiteList.filter((e: string) => sanitized.origin.indexOf(e) === 0).length > 0) {

To make it simple, this function checks whether the origin of URL in next matches URL in whitelist.

The problem is that this code use .indexOf === 0 for matching. To say this in human language, it checks whether the URL starts with allowed origin.

This logic is flawed because of how subdomain works. Consider these payload (suppose that allowed origin is redacted.com)

redacted.com — pass
redacted.com.attacker.com — also pass

The second payload is a URL point to attacker.com not redacted.com.

So, if the victim login with next parameter with the second payload, he/she will be redirected to attacker.com instead.

Therefore, this login page is vulnerable to Open Redirect attack.

Timeline of Vulnerability Report
- Mar 6, 2020 Report sent and triage
- Mar 9, 2020 Bounty award ($250)
- Mar 26 2020 Fix deployed

another hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store