FirstBlood-#262 — Open Redirect Vulnerability Observed in the Firstbloodhacker.com
This issue was discovered on FirstBlood v1
On 2021-05-15, netmous3 Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description:
Open redirect vulnerability was identified on the logout function of the doctor's login portal in the Firstbloodhacker web application. Logout URL can be crafted to redirect login out doctors to an attacker-controlled website.
Steps To Reproduce:
- Log in to the doctor's portal and log out.
- Intercept the log-out request using a web proxy and update the request with the payload
%5c/{Evil_site_url}.
- Submit the request and observe the redirection to the URL used in #2.
Impact:
Impact for Firstbloodhacker.com is minimal as the no cookie values or any other authentication parameters are leak into the attacker. However, this redirection cause to reveal the doctor's portal internal url to the attacker via the referrer header and could use to access the internal resources if authentication cookies leaked.
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /%5c/{Evil_site_url}
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.