From POST to GET Open redirect

Sourav Sahana
Dec 31, 2019 · 2 min read

Hey ! I’m Sourav Sahana from India. This is the write-up for my first bug bounty so I am really sorry if I have made something wrong. This was an unique bug for me because I’ve rewarded three times for this bug. Hope you will enjoy this blog.

Summery

After so many duplicates and not applicable I found a program on Bugcrowd. As usual, like other beginner hunter I’m also looking for open redirect, subdomain takeover, server side injection, xss but I was failed and got demotivated and leave the program. next day again I started to take a last try. This time I was testing cookie invalidation issue. Again failed..

Discovery

There is no cookie invalidation issue. But I got this endpoint in search bar :https://manage.statuspage.io/login?redirect=%2fpages/ . I immediately change redirect parameter and BAAM.. It redirects to evil.com. But the problem is it only redirect if I’’m already signed in.If not signed in application was asking to login and then I was redirecting to evil.com. I thought it’s a valid issue and reported it. After two days my report was changed from P4 to P5 because it is post based. I was like:

I have to dig further. then I discover this endpoint: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fevil.com/ and also told them that if user already signed in then he will simply redirect to evil.com. Next day he changed the report from P5 to P4. And It’s a valid bug. I got my first valid bug and bounty. My first bounty $100 and it’s huge for me.

Wait! wait! wait! not finished yet. After one month hey replay me that this issue has been fixed. But I told then that I can still redirect using this url: https://manage.statuspage.io/logout?redirect=https%3A%2F%2Fbugcrowd.com/ . Then replayed me:- “Thank you for your reply. https://manage.statuspage.io/logout would be considered a different endpoint, so I would encourage you to submit that as a separate report so we can track it separately.”. again I submitted a report and this time I got $50. After one month they flag my report as Resolved. But this time also my luck was with me.. The bug was not fixed but they marked this as resolved and gave me 2 weeks if I can still reproduce this bug. I replayed yes! I can. No replay from his side.

I was waiting for the correct time. After 2 weeks again I reported this bug. And this time it was P3, I don’t know why. Whatever ! I got $300. Total bounty earned : $450

Thank you and happy hunting

Sourav Sahana

Bug bounty writeups

Sourav Sahana

Written by

Hey ! My name is Sourav and I’m a security researcher/Hacker from India. Follow me if you are bug hunter to see my findings.

Sourav Sahana

Bug bounty writeups

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade