FirstBlood-#15 — Open Url redirection
This issue was discovered on FirstBlood v1
On 2021-05-09, d20s84 Level 3 reported:
Summary: Open URL Redirection is active on the above submitted endpoint.
- Login to /login.php using the provided credentials.
- Click on securely logout and intercept the request.
- Provide the payload /\/\evil.com to the vulnerable parameter ?ref=
- Forward the request and Boom the redirection follows to the provided url.
Impact: Attacker can redirect the victim to desired malicious web page .
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.