How I find Open-Redirect Vulnerability in (One of the top online payment processing service website)

This is my first write-up, I hate writing blogs that’s why I didn’t publish any of my findings yet. But now on somebody request and suggestion I started to publish and share my findings.

So let get started :) I start with the brief introduction of myself then I’ll move forward to my findings, I am an Information Security Researcher / Bug Bounty Hunter. Working on HackerOne since 2014 and Now I’m listed on the top 100 Hackers of HackerOne, That’s my HackerOne profile, I also develop e-commerce websites and have great experience in the e-commerce industry.

I cannot disclose the website named so let’s assume

I was integrating the’s payment gateway in an e-commerce website, then suddenly Bug Hunter Ghost wake up and start testing, within 5 to 7 mins testing I found a vulnerability on which is an Open redirect.

Open-Redirect is basically is not a high impact vulnerability but I my opinion for a website like Open-Redirect can high-level impact Because is a payment processing service. If an attacker can redirect the user to any malicious website then an attacker can also maintain a phishing website for the victim to get the credentials of account or their API Keys.

What is Open-Redirect Vulnerability?

Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to if exploited such a technique can have a serious impact, especially when combined with other vulnerabilities and tricks.

How I find Open-Redirect on

When I was logging in my account then I realize that there is a parameter named as “service” in the URL and parameter has a value which is also another URL, like this

I thought that what if i will change the 2nd URL ?

Thinking for Naya Pakistan :D

I changed the second URL like this

I execute this URL and enter my account credentials and login my account, and as expected I redirect to the

Celebration Time :)

Reported to!

Payment Gateway Integration is still in process but vulnerability reported :D ahahahahah !