[Open redirect] Developers are lazy(or maybe busy)

KatsuragiCSL
Dec 12, 2018 · 3 min read

This time I am going to write up an open redirect bug I found in a private program. The bug itself was a low-hanging fruit, but the process of reporting it is funny enough.

First, lets’ talk about the bug itself. 🙂

Let’s call the domain example.com. I got myself started by registering an account and poking around. Then I found an URL :

https://www.example.com/account/login?next=https%3A%2F%2Fwww.example.com

“Time to test for open redirect.” I told myself.

First I tried the most straightforward payload: https://www.example.com/account/login?next=https%3A%2F%2Fgoogle.com . Didn’t work. Then I tried next=https://example.com@google.com , //google.com , javascript:alert(1) (turning an open redirect to XSS) etc. but none of these worked. Then HPP (HTTP parameter pollution) came to my mind:

https://www.example.com/account/login?next=https%3A%2F%2Fwww.example.com&next=https%3A%2F%2Fgoogle.com

I didn’t expect anything, instead I just gave it a try and see what would happen. Then my url bar became

https://example.com%2Cwww.google.com

and my browser throws error message to me.

That was the moment I knew that I can exploit it. The value of the second next parameter was not filtered as the first one did. %2C is just a comma, so the mechanism of example.com handling this request is basically joining two next with a comma without filtering the second one.

So what if I do it in this way?

https://www.example.com/account/login?next=https%3A%2F%2Fwww.example.com&next=@google.com

Note that there is a “@” in the second parameter now. So ends up example.com will redirect me to https://example.com,@google.com, which is in fact going to google.com. So a successful open redirect for me to report now. (I have tried to dig deeper and leverage it to more severe bug, bug I failed 😦 )

On the second day, I was told that it was a duplicate and the bug was fixed. 😦 . But a thought came into my mind: Why don’t you check if they have TOTALLY fixed it ? Maybe they have made some other mistakes during fixing!

So I go for a check. I tried a lots of payloads on the login URL as above, but I could not exploit it anymore. I started to convince myself that they have fixed it well and no more open redirect bugs for me.

Wait, “no more open redirect bugs”? I can check other endpoints for open redirect bugs!

So, instead of the login page (which is fixed), I tried on the signup page like:

https://www.example.com/account/signup?next=https%3A%2F%2Fwww.example.com&next=@google.com

and I succeed!

So the conclusion is, their developers forgot the signup page when they were fixing the login page.

Then I got the bounty. Developers are lazy, or maybe just busy.


Bounty rewarded : $150

*Remarks: The bug bounty hunter who found the login page bug before me, he forgot to check for the same bug on the signup page too. LOLLL. Hunters are lazy too!

A collection of write-ups from the best hackers in the…

KatsuragiCSL

Written by

A security enthusiast. @ZuuitterE

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

KatsuragiCSL

Written by

A security enthusiast. @ZuuitterE

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store