How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website)

protector47
Sep 9, 2018 · 3 min read

This is my first write-up, I hate writing blogs that’s why I didn’t publish any of my findings yet. But now on somebody request and suggestion I started to publish and share my findings.

So let get started :) I start with the brief introduction of myself then I’ll move forward to my findings, I am an Information Security Researcher / Bug Bounty Hunter. Working on HackerOne since 2014 and Now I’m listed on the top 100 Hackers of HackerOne, That’s my HackerOne profile https://hackerone.com/protector47, I also develop e-commerce websites and have great experience in the e-commerce industry.

I cannot disclose the website named so let’s assume https://site.com.

I was integrating the site.com’s payment gateway in an e-commerce website, then suddenly Bug Hunter Ghost wake up and start testing site.com, within 5 to 7 mins testing I found a vulnerability on site.com which is an Open redirect.

Open-Redirect is basically is not a high impact vulnerability but I my opinion for a website like https://site.com Open-Redirect can high-level impact Because https://site.com is a payment processing service. If an attacker can redirect the user to any malicious website then an attacker can also maintain a phishing website for the victim to get the credentials of https://site.com account or their API Keys.

What is Open-Redirect Vulnerability?

Open Redirection is when a web application or server uses a user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action, to let a user decide on which page he wants to be redirected to if exploited such a technique can have a serious impact, especially when combined with other vulnerabilities and tricks.

How I find Open-Redirect on https://site.com?

When I was logging in my https://site.com account then I realize that there is a parameter named as “service” in the URL and parameter has a value which is also another URL, like this https://www.site.com/login?service=https%3A%2F%2Fwww.site.com%2Fva

I thought that what if i will change the 2nd URL ?

Thinking for Naya Pakistan :D

I changed the second URL like this https://www.site.com/login?service=https%3A%2F%2Fwww.google.com%2Fva

I execute this URL and enter my account credentials and login my account, and as expected I redirect to the https://google.com

Celebration Time :)

Reported to https://site.com!

Payment Gateway Integration is still in process but vulnerability reported :D ahahahahah !

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store