how i got 200$ with an out of the box open redirect vulnerability
hello u great hunters :) :)
today i am going to share with you an interesting open redirect vulnerability that i have found in a very special way and place. so follow with me.
Note: when you are hunting for Open Redirect, check in their policy first that they accept this type of vulns and under which conditions they do.
so what is an open redirect vulnerability :
An Open Redirection is when a web application or server uses an invalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected,such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.
how and where did i find it :
let’s call the website
this website have a feature to create a company account and then give you the ability to invite employers to it by email.
first thing to note is when creating a company account this will create a particular subdomain with that name like so :
second thing is that when u invite someone as an employee the company name is passed as a parameter . which then gets converted to an invitation link
*company-name*.example.com/?token=..... in a button.
so i send an invite to my email, intercepted this API request and started playing with it.
after i tried some html injection like adding buttons… in order for them to get rendered on the email. unfortunately this didn’t work cause of some further filtering.
some minutes after i got another idea which consisted of adding
? character to break the link and redirect to another website like so :
evil.com? so this gets converted to
and as u already guessed this did work 😎 😎 😎 and got a 200$ bounty + some very cool swag.
so exploiting such thing would give me the ability to send phishing emails to anyone + the email is been send from the website itself so it’s the most convincing way to trick the victim .
so from now on whenever u find such parameters that are related to subdomains name just try to escape it with a