Transforming a Domain into the Matrix (an open redirect story)

Hey, what’s up community? hope you are good, today i share a very strange and non-common behavior that i found a year ago when i start with bounties. We keep private the program so we can call it from now [redacted.com].

So I found this normal endpoint which is:

  • https://[redacted.com]/login?return_to=[url]

Interesting huh? so i decide to try some Open Redirect payloads:

return_to=http://evil.com -> rejected
return_to=http://[redacted.com].evil.com -> rejected
return_to=//google.com -> rejected
return_to=//redacted.com@evil.com -> rejected
return_to=//google.com/redacted.com -> rejected

… well the list of payloads is quite large.. but with all attemps failed :(

And my feels are:

The truth sometimes hurts :(

But.. during this actions i notice an strange behaviour.. (here is where the Twilight’s Zone Music comes.. )

So the inspiration down from the heaven with this message directly to me:

I try the next weird thing:

If i put any string on /login?return_to=anythinghere (when the user is logged) the domain becomes on https://redacted.comanythinghere

(shit happens)

Well well well , whats going on here? So a little trick comes to my mind and i ask myself: what happens if i do the next request?

https://[redacted.com]/login?return_to=pany

When the user is logged, is redirected directly to https://[redacted.company]

So i look if this domain is available.. and for my surprise:

YES! AVAILABLE!

At this moment i feel like:

  • This same trick can be used in a lot of scenarios when we handle a whitelisted URL or domains over CORS, OAuth, etc
  • I hope you enjoy the reading as i do writing this post :)

Nice resources about Open Redirect are:

And remember: relax and just some things comes to you: it’s inevitable

HAPPY HACKING!