Transforming a Domain into the Matrix (an open redirect story)

Ak1T4
Ak1T4
Nov 17, 2017 · 3 min read

Hey, what’s up community? hope you are good, today i share a very strange and non-common behavior that i found a year ago when i start with bounties. We keep private the program so we can call it from now [redacted.com].

So I found this normal endpoint which is:

  • https://[redacted.com]/login?return_to=[url]

Interesting huh? so i decide to try some Open Redirect payloads:

return_to=http://evil.com -> rejected

return_to=http://[redacted.com].evil.com -> rejected

return_to=//google.com -> rejected

return_to=//redacted.com@evil.com -> rejected

return_to=//google.com/redacted.com -> rejected

… well the list of payloads is quite large.. but with all attemps failed :(

And my feels are:

The truth sometimes hurts :(

But.. during this actions i notice an strange behaviour.. (here is where the Twilight’s Zone Music comes.. )

So the inspiration down from the heaven with this message directly to me:

I try the next weird thing:

If i put any string on /login?return_to=anythinghere (when the user is logged) the domain becomes on https://redacted.comanythinghere

(shit happens)

Well well well , whats going on here? So a little trick comes to my mind and i ask myself: what happens if i do the next request?

https://[redacted.com]/login?return_to=pany

When the user is logged, is redirected directly to https://[redacted.company]

So i look if this domain is available.. and for my surprise:

YES! AVAILABLE!

At this moment i feel like:

  • This same trick can be used in a lot of scenarios when we handle a whitelisted URL or domains over CORS, OAuth, etc
  • I hope you enjoy the reading as i do writing this post :)

Nice resources about Open Redirect are:

And remember: relax and just some things comes to you: it’s inevitable

HAPPY HACKING!

A collection of write-ups from the best hackers in the…

Ak1T4

Written by

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Ak1T4

Written by

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store