Open in app

Sign in

Write

Sign in

From POST to GET Open redirect

Sourav Sahana
Sourav Sahana
Published in
2 min readDec 31, 2019

Hey ! I’m Sourav Sahana from India. This is the write-up for my first bug bounty so I am really sorry if I have made something wrong. This was an unique bug for me because I’ve rewarded three times for this bug. Hope you will enjoy this blog.

Summery

After so many duplicates and not applicable I found a program on Bugcrowd. As usual, like other beginner hunter I’m also looking for open redirect, subdomain takeover, server side injection, xss but I was failed and got demotivated and leave the program. next day again I started to take a last try. This time I was testing cookie invalidation issue. Again failed..

Discovery

There is no cookie invalidation issue. But I got this endpoint in search bar :https://manage.statuspage.io/login?redirect=%2fpages/ . I immediately change redirect parameter and BAAM.. It redirects to evil.com. But the problem is it only redirect if I’’m already signed in.If not signed in application was asking to login and then I was redirecting to evil.com. I thought it’s a valid issue and reported it. After two days my report was changed from P4 to P5 because it is post based. I was like:

I have to dig further. then I discover this endpoint: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fevil.com/ and also told them that if user already signed in then he will simply redirect to evil.com. Next day he changed the report from P5 to P4. And It’s a valid bug. I got my first valid bug and bounty. My first bounty $100 and it’s huge for me.

Wait! wait! wait! not finished yet. After one month hey replay me that this issue has been fixed. But I told then that I can still redirect using this url: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fbugcrowd.com/ . Then replayed me:- “Thank you for your reply. https://manage.statuspage.io/logout would be considered a different endpoint, so I would encourage you to submit that as a separate report so we can track it separately.”. again I submitted a report and this time I got $50. After one month they flag my report as Resolved. But this time also my luck was with me.. The bug was not fixed but they marked this as resolved and gave me 2 weeks if I can still reproduce this bug. I replayed yes! I can. No replay from his side.

I was waiting for the correct time. After 2 weeks again I reported this bug. And this time it was P3, I don’t know why. Whatever ! I got $300. Total bounty earned : $450

Thank you and happy hunting

Security
Sourav Sahana
Bug Bounty
Hacking
Infosec

--

--

Sourav Sahana
Sourav Sahana

Written by Sourav Sahana

278 Followers
Writer for

Hey ! My name is Sourav and I’m a security researcher/Hacker from India. Follow me if you are bug hunter to see my findings.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams