Open Redirect vulnerability found using link parameter

Hi Everyone,

I am Muhammad Aamir, a cybersecurity professional from Pakistan. Here I share with you a recent & interesting find of Open Redirect vulnerability on a program at Bugcrowd. I was rewarded with $100 under the program’s P4 allocation of bug bounty.

Let’s say that the target’s website is and the login page contains URL It means that as soon as a user is logged in, he is taken to where “anysubdomain” is a subdomain of One could also mention an invalid subdomain here such as

The application checks that there’s “” in the end of redirect URL and tries to load that particular website. If it’s a valid/working subdomain, the respective website is loaded. On the other hand, if it’s an invalid subdomain such as, the application still tries to load that website and then the error message appears.

Redirection to the target’s invalid subdomain

Now for open redirect, I decided to try some cool workaround :) So, I started hunting for different subdomains of

After some time, I found a link that was pointing to the address like Fortunately, the link was invalid in the environment of so I focused on it and started some research. Soon, I found a parameter attached to it that’s also named as “link”. This parameter was redirecting me to the website of my choice :) Now I had an open redirect to with

But wait, is out-of-scope. Hmmm … no problem, we shall use it on an in-scope item i.e.

So the final URL with payload for open redirect is

The above URL took an already logged in user to If it is presented to a user who is not yet logged in, first the user will see the application’s login screen, then he/she will be taken to if logged in.

The impact is obvious i.e. a logged in user can be taken to phished webpage for stealing sensitive information including credentials. The program also liked this find and acknowledged how I could utilize a vulnerability of out-of-scope item from the in-scope domain.

Program’s comments on the finding

I hope you’ve enjoyed reading it :) Thank you.

Stay Safe Everyone!

Twitter: @Muhammad__Aamir


Cybersecurity Professional / Researcher from Pakistan