FirstBlood-#354 — Open Redirect on /logout.php
This issue was discovered on FirstBlood v2
On 2021-10-25, 0x1452 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey!
Summary
The endpoint GET /drpanel/logout.php?ref=... is vulnerable to an Open Redirect, caused by the ref parameter.
In the previous version this was exploitable by setting ref to /\/evil.com. However, this time backslashes get replaced with a period (.). To bypass this fix, an attacker can simply use a tab (%09) instead.
To reproduce this navigate to /drpanel/logout.php?ref=/%09/example.com and notice that it successfully redirects to example.com:
The tab will be ignored by the browser.
Impact
There are multiple ways Open Redirects can be abused by attackers. In the worst case they could be used to steal OAuth tokens or bypass certain whitelist filters (e.g. for SSRF). They could also be used to redirect victims to phishing sites. Using your domain as the first link will make it look more convincing to people who aren't careful.
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /%09/evil.com
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.