Open in app

Sign in

Write

Sign in

Nikhil Thakur
2 min readMar 22, 2024

DOM Based Malicious Redirection *CVE-2024–28287*

Instinct Web UI v.6.5.0 — DOM-Based Malicious Redirection

Discovered by: Nikhil Thakur

######################################################################################
# Title: Instinct Web UI v.6.5.0 - DOM-Based Malicious Redirection               
# Author: Mr. Nikhil Thakur
# Vendor Homepage: https://www.gbgplc.com/en/products/fraud-risk-management-platform/
# Version: 6.5.0
# Tested on: Latest version of Chrome, Firefox on Windows and Linux.
# CVE: CVE-2024-28287
######################################################################################

— — — — — — — — — — — — — DOM Based Redirection — — — — — — — — — — — —

DOM-based open redirection arises when a script writes controllable data into the target of a redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. If an attacker can control the start of the string that is passed to the redirection API, then it may be possible to escalate this vulnerability into a JavaScript injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary script code when the URL is processed by the browser.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Reproduction Steps:

  • Step 1: Log in to Instinct Web UI Client v.6.5.0 “https://instinct.localhost.com/Instinct.UI.WebClient_v6.5.0/"
  • Step 2: Intercept the traffic through the Proxy Tool “BurpSuite”
  • Step 3: Click on LogOut and intercept the logout request “https://instinct.localhost.com/Instinct.UI.WebClient_v6.5.0/Vendors/instinct-webportal-client/assets/logout.html?returnUrl=https://Instinct.localhost.com/Instinct.UI.WebClient_v6.5.0"
  • Step 4: As tested, the returnUrl= parameter is vulnerable to DOM Based Malicious Redirection, replace the returnUrl= parameter value with a malicious URL.
  • Step 5: Crafted URL: “https://instinct.localhost.com/Instinct.UI.WebClient_v6.5.0/Vendors/instinct-webportal-client/assets/logout.html?returnUrl=https://attacker.com".
  • Step 5: It will redirect to the plotted attacker-controlled application “returnUrl=https://attacker.com".
HTTP REQUEST & HTTP RESPONSE

**Many Thanks to GBGPLC Team for mitigating this Vulnerability…:)**

Nikhil Thakur

Written by Nikhil Thakur

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams