how i got 200$ with an out of the box open redirect vulnerability

hello u great hunters :) :)

today i am going to share with you an interesting open redirect vulnerability that i have found in a very special way and place. so follow with me.

Note: when you are hunting for Open Redirect, check in their policy first that they accept this type of vulns and under which conditions they do.

An Open Redirection is when a web application or server uses an invalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected,such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.

let’s call the website www.example.com .

this website have a feature to create a company account and then give you the ability to invite employers to it by email.

first thing to note is when creating a company account this will create a particular subdomain with that name like so :

*company-name*.example.com

second thing is that when u invite someone as an employee the company name is passed as a parameter . which then gets converted to an invitation link *company-name*.example.com/?token=..... in a button.

so i send an invite to my email, intercepted this API request and started playing with it.

after i tried some html injection like adding buttons… in order for them to get rendered on the email. unfortunately this didn’t work cause of some further filtering.

some minutes after i got another idea which consisted of adding ? character to break the link and redirect to another website like so :

evil.com? so this gets converted to evil.com?.example.com/?token=....

and as u already guessed this did work 😎 😎 😎 and got a 200$ bounty + some very cool swag.

so exploiting such thing would give me the ability to send phishing emails to anyone + the email is been send from the website itself so it’s the most convincing way to trick the victim .

so from now on whenever u find such parameters that are related to subdomains name just try to escape it with a ? character .

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store