Hi my name is z0id I am a security consultant at hackerone and bugcrowd. I would like to share with you how I found an interesting way to find open redirects with automation in python.
Story
I woke up one morning and I decided to find a creative way to look for unvalidated open redirects automatically so, I came up with a very good technique.
First let me explain my manual way of finding open redirects and we will go from there.
I start of by picking a target to do my recon phase on to find all sub domains I try to not focus on recon too much because I don’t really like it. Once I’ve collected all the sub domains I put them in burp for in scope items and start spidering away and mapping out the whole site.
I will then look for only 302 status codes in the response when I see that Location: /
is getting reflected in the response header.
I start spraying away some payloads with intruder.
Once I get a hit I take a picture for proof and make a video of my findings and report it with a nice detail Proof Of Concept (PoC).
How To Automate This
I found a way to automate this with exceptional results.
I started of searching for ways to scrape bugcrowd and hackerone until I came across:
I download this and played around with some subdomain scanning with assetfinder.
I used the following bash alias to scan for subdomains from all of bugcrowd and hackerone’s programs.
Run it like:
afinderlist wildcards.txt
Then once the sub domain scan was finished I ran my tool that I have been developing against all the subdomains and I fuzzed the path for open redirects.
`
Results:
Success Story:
I used this technique and I found an open redirect on VendHQ and it was a funny story because I reported it and they said it was out of scope so they put it as N/A. I was annoyed but I then moved on…… 3 days later….
They re-opened and they said:
So, they accepted it and I was pretty much like:
They triage it and approved it I got some points unfortunately it was not a paid program but that does not matter. This pretty much made my day so I decided to ask if I could disclose it, and they allowed it.
I hope my technique helps and I hope you enjoyed this post, try out my technique give it a shot and experiment.
Takeaway
I would like to end this post by saying that if you find an open redirect in a parameter, sometimes you might be lucky to chain it with Server-Side Request Forgery (SSRF) for more impact so it’s good practice to test for that if you come across an open redirect.
I hope you enjoyed my post Have a nice day and happy bughunting :)