Hello Everyone!,
I hope you are doing good and safe. If you are a noob in bug hunting you can check my previous blog and today I am going to share an interesting finding of mine, that is Open Redirect Vulnerability.
What is Open Redirect?
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users and even if they verify these features, they will not notice the subsequent redirection to a different domain.
Let’s start!, We call our target as target.com. My first step is to always do recon because it plays an important role in finding bugs. Through waybackurls tool, I got many endpoints of the target and then I filtered the URLs having “redirect” parameter through grep command and the result was like this:
first of all, I copied the redirect value and changed “%3D” to “=” (URL-decoded), so now its look like this:
aHR0cHM6Ly9hcHAudGFyZ2V0LmNvbS9kYXNoYm9hcmR8MzJ8YUhSMGNITTZMeTloY0hBdWRHRnlaMlYwTG1OdmJTOWtZWE5vWW05aGNtUT0=
Its look like Base64 Encoded value so straight forward I decoded it and got this:
https://app.target.com/dashboard|32|aHR0cHM6Ly9hcHAudGFyZ2V0LmNvbS9kYXNoYm9hcmQ=
For a few seconds, I was wondering what the hell it is after URL. then I got to know that “32” is the length of the URL from “https” first “h” to “dashboard” last “d” and after this, they have given a token which is nothing but just Base64 Encoded value of the URL.
#vulnerability #open-redirect #infosec #security #bug-bounty
