Important information
Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.
Failure to abide by the rules will put you at risk of being restricted from using our free challenges.
You may only redirect to *.bugbountyhunter.com
Easy
Open URL Redirect
Developers will often lock down their open redirects to only allow for *.theirdomain.com.
Can you find out how to redirect to any website? Remember, this challenge is designed to only allow for *.bugbountyhunter.com
Solution
You can first discover the vulnerable parameter from the id which is redirectUri.
Since the challenge is locked down to *.bugbountytraining.com you can't add anything after the domain, but you can in the subdomain.
At first you'll notice \ and ? are filtered, but # is allowed. However trying ?redirectUri=https://example.com#.bugbountytraining.com/ doesn't work.
Enter bypass!
The encoding %E3%80%82 also represents . - Visit https://www.bugbountyhunter%E3%80%82com & see for yourself!
Final payload: https://www.bugbountytraining.com/challenges/challenge-7.php?redirectUri=https://evilsite%E3%80%82%23.bugbountyhunter.com/
