Note: ignore ////
Assuming the target was ////example.com
When visiting the website and navigate to Login page . The website return GET parameters , one of them was interesting as it seems good to check for open redirection.
https://example.com/login?url=example.com/welcome
If you tried to inject [ @google.com ] and log in , the website will redirect you to ////example.com
If you tried to inject [ ////google.com , ////google.com , other common open redirection whitelist bypass ] it won’t work.
After that i checked and changed the parameter value from
////example.com/login?url=////example.com/welcome
To
////example.com/login?url=////example.org/welcome
After log in , the website will get your redirected to ////example.org/welcome
After checking , example.org was not paid domain and available to purchase . That being said if attacker buy it from ////namecheap.com or other domain registration service, he can got open redirection on the endpoint and redirect to its website which it is ////example.org
I’m here trying to write bugs , tricks in bug bounty hunting and penetration testing because i like this form + to inspire other researchers on the community to write their findings here.
+
The reason between having //// before websites urls is because i’m new user and i can’t post more than 2 links in a post so i put these chars.
Thanks.
I