Open redirection via login

Note: ignore ////

Assuming the target was ////example.com

When visiting the website and navigate to Login page . The website return GET parameters , one of them was interesting as it seems good to check for open redirection.

https://example.com/login?url=example.com/welcome

If you tried to inject [ @google.com ] and log in , the website will redirect you to ////example.com
If you tried to inject [ ////google.com , ////google.com , other common open redirection whitelist bypass ] it won’t work.

After that i checked and changed the parameter value from

////example.com/login?url=////example.com/welcome

To

////example.com/login?url=////example.org/welcome

After log in , the website will get your redirected to ////example.org/welcome

After checking , example.org was not paid domain and available to purchase . That being said if attacker buy it from ////namecheap.com or other domain registration service, he can got open redirection on the endpoint and redirect to its website which it is ////example.org

I’m here trying to write bugs , tricks in bug bounty hunting and penetration testing because i like this form + to inspire other researchers on the community to write their findings here.
+

The reason between having //// before websites urls is because i’m new user and i can’t post more than 2 links in a post so i put these chars.
Thanks.

I

3 Likes

Nice one!
If they only check the first part of the target url (i.e. until the first dot) maybe then you could also redirect to example.domain.com, if you already have domain.com?

1 Like

Yeah , thanks for your notice, i’ll put this in mind in future tests too but in case of this company i stopped there when i was testing cause i know it will be marked as duplicate and it got marked as duplicate in the end xD.

1 Like