FirstBlood-#237 — Open Redirect via logout ref parameter
This issue was discovered on FirstBlood v1
On 2021-05-14, codersanjay Level 3 reported:
Summary regarding the vulnerability
All the doctors who log in are provided with logout option as well.The logout endpoint has a parameter ref which tells the website where to go after the doctor has logged out.
This ref parameter is not handled properly because of which an attacker can redirect users to malicious website using legit firstbloodhackers.com
ref parameter reflects in location header.So,as a attacker , our goal is to somehow fill the location header with absolute url but not child url.
You can read more about location header in the below link.
Step by Step Procedure followed to find this vulnerability
1.After login, you are provided with logout option on top right of the dashboard.
2.Click on logout and intercept the request in the burp.You will see the below endpoint in your burp.
3.I tried a lot of bypass techniques here.Many didn't work but finally one did.
4.Give the value to ref parameter as %2f%2fhttps%3a%2f%2fgoogle%2ecom%2f%2f
5.Forward the request.You can see that it is being redirected to google.com in the response.
6.The same happened when I tested in chrome as well.Go to http://firstbloodhackers.com:49694/drpanel/logout.php?ref=%2f%2fhttps%3a%2f%2fgoogle%2ecom%2f%2f in chrome. It will take you to google.com
Please check the below youtube link for detailed Video POC.
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.