FirstBlood-#15Open Url redirection



On 2021-05-09, d20s84 reported:

Summary: Open URL Redirection is active on the above submitted endpoint.

Steps:

  1. Login to /login.php using the provided credentials.
  2. Click on securely logout and intercept the request.
  3. Provide the payload /\/\evil.com to the vulnerable parameter ?ref=
  4. Forward the request and Boom the redirection follows to the provided url.

Impact: Attacker can redirect the victim to desired malicious web page .

P4 Low

Endpoint: /drpanel/logout.php?ref=/\/\evil.com

Parameter: ref=

Payload: /\/\evil.com


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.

Report Feedback

@zseano

Creator & Administrator


Nice work d20s84 :) Enjoy the bounty!


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.