FirstBlood-#237Open Redirect via logout ref parameter



On 2021-05-14, codersanjay reported:

Summary regarding the vulnerability

All the doctors who log in are provided with logout option as well.The logout endpoint has a parameter ref which tells the website where to go after the doctor has logged out.

This ref parameter is not handled properly because of which an attacker can redirect users to malicious website using legit firstbloodhackers.com

---Info---

ref parameter reflects in location header.So,as a attacker , our goal is to somehow fill the location header with absolute url but not child url.

You can read more about location header in the below link.

Link:- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location


Step by Step Procedure followed to find this vulnerability

1.After login, you are provided with logout option on top right of the dashboard.

2.Click on logout and intercept the request in the burp.You will see the below endpoint in your burp.

3.I tried a lot of bypass techniques here.Many didn't work but finally one did.

4.Give the value to ref parameter as %2f%2fhttps%3a%2f%2fgoogle%2ecom%2f%2f

5.Forward the request.You can see that it is being redirected to google.com in the response.

6.The same happened when I tested in chrome as well.Go to http://firstbloodhackers.com:49694/drpanel/logout.php?ref=%2f%2fhttps%3a%2f%2fgoogle%2ecom%2f%2f in chrome. It will take you to google.com

Note

Please check the below youtube link for detailed Video POC.

https://youtu.be/JviV_CqrsBo

Thank You.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2f%2fhttps%3a%2f%2fgoogle%2ecom%2f%2f


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.