Hello firstblood team!

Summary

The endpoint /book-appointment.html and /about.html automatically redirects to a php page.

• book-appointment.html -> book-appointment.php
• about.html -> about.php

If we intercept this request to analyse the source code of the html file we can see a script setting the top.location to the parameter redirect_url

this is the script at the source code:

    var curUrl = window.location.search;
    var params = new URLSearchParams(curUrl);
    var redirect_url = params.get('redirect_url');

    if (redirect_url == null) {
        top.location.href='book-appointment.php';
    } else {
         top.location.href=redirect_url;
    }

based on that I tried to see if it would accept any random url to exploit an open redirect by appending ?redirect_url=http://evil.com to the url and it worked! it redirects to http://evil.com.

Steps to reproduce

1. access the url https://e7d63648c859-lumbridge7.a.firstbloodhackers.com/book-appointment.html?redirect_url=http://evil.com
2. you'll be automatically be redirected to http://evil.com

• the same can be achieved at https://e7d63648c859-lumbridge7.a.firstbloodhackers.com/about.html?redirect_url=http://evil.com

Remediation

To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains