Open Redirect vulnerability found using link parameter

Hi Everyone,

I am Muhammad Aamir, a cybersecurity professional from Pakistan. Here I share with you a recent & interesting find of Open Redirect vulnerability on a program at Bugcrowd. I was rewarded with $100 under the program’s P4 allocation of bug bounty.

Let’s say that the target’s website is redact.com and the login page contains URL https://redact.com/login?redirect=https://anysubdomain.redact.com. It means that as soon as a user is logged in, he is taken to https://anysubdomain.redact.com where “anysubdomain” is a subdomain of https://redact.com. One could also mention an invalid subdomain here such as https://mysite.redact.com

The application checks that there’s “redact.com” in the end of redirect URL and tries to load that particular website. If it’s a valid/working subdomain, the respective website is loaded. On the other hand, if it’s an invalid subdomain such as https://mysite.redact.com, the application still tries to load that website and then the error message appears.

Redirection to the target’s invalid subdomain

Now for open redirect, I decided to try some cool workaround :) So, I started hunting for different subdomains of https://redact.com

After some time, I found a link that was pointing to the address like https://link.redact.com. Fortunately, the link was invalid in the environment of https://redact.com so I focused on it and started some research. Soon, I found a parameter attached to it that’s also named as “link”. This parameter was redirecting me to the website of my choice :) Now I had an open redirect to https://mysite.com with https://link.redact.com?link=https://mysite.com

But wait, https://link.redact.com is out-of-scope. Hmmm … no problem, we shall use it on an in-scope item i.e. https://redact.com/login

So the final URL with payload for open redirect is https://redact.com/login?redirect=https://link.redact.com?link=https://mysite.com

The above URL took an already logged in user to https://mysite.com. If it is presented to a user who is not yet logged in, first the user will see the application’s login screen, then he/she will be taken to https://mysite.com if logged in.

The impact is obvious i.e. a logged in user can be taken to phished webpage for stealing sensitive information including credentials. The program also liked this find and acknowledged how I could utilize a vulnerability of out-of-scope item from the in-scope domain.

Program’s comments on the finding

I hope you’ve enjoyed reading it :) Thank you.

Stay Safe Everyone!

Twitter: @Muhammad__Aamir

LinkedIn: https://www.linkedin.com/in/muhammad-aamir-457932150