How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website)

This is my first write-up, I hate writing blogs that’s why I didn’t publish any of my findings yet. But now on somebody request and suggestion I started to publish and share my findings.

So let get started :) I start with the brief introduction of myself then I’ll move forward to my findings, I am an Information Security Researcher / Bug Bounty Hunter. Working on HackerOne since 2014 and Now I’m listed on the top 100 Hackers of HackerOne, That’s my HackerOne profile https://hackerone.com/protector47, I also develop e-commerce websites and have great experience in the e-commerce industry.

I cannot disclose the website named so let’s assume https://site.com.

I was integrating the site.com’s payment gateway in an e-commerce website, then suddenly Bug Hunter Ghost wake up and start testing site.com, within 5 to 7 mins testing I found a vulnerability on site.com which is an Open redirect.

Open-Redirect is basically is not a high impact vulnerability but I my opinion for a website like https://site.com Open-Redirect can high-level impact Because https://site.com is a payment processing service. If an attacker can redirect the user to any malicious website then an attacker can also maintain a phishing website for the victim to get the credentials of https://site.com account or their API Keys.

What is Open-Redirect Vulnerability?

Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to if exploited such a technique can have a serious impact, especially when combined with other vulnerabilities and tricks.

How I find Open-Redirect on https://site.com?

When I was logging in my https://site.com account then I realize that there is a parameter named as “service” in the URL and parameter has a value which is also another URL, like this https://www.site.com/login?service=https%3A%2F%2Fwww.site.com%2Fva

I thought that what if i will change the 2nd URL ?

Thinking for Naya Pakistan :D

I changed the second URL like this https://www.site.com/login?service=https%3A%2F%2Fwww.google.com%2Fva

I execute this URL and enter my account credentials and login my account, and as expected I redirect to the https://google.com

Celebration Time :)

Reported to https://site.com!

Payment Gateway Integration is still in process but vulnerability reported :D ahahahahah !