FirstBlood-#468[COLLAB with isitbug] Open redirect bypass on logout
This issue was discovered on FirstBlood v2

On 2021-10-25, shreky Level 5 reported:


On the logout function (as a doctor) ,parameter ref has been reinforced with some additional filters compared to the previous version of FirstBlood,however me and isitbug(he got the payload working) found a bypass for it.

Steps to reproduce

  1. Login as a doctor/admin at /login.php
  2. Access /drpanel/logout.php?ref=%2f%2f%2f%09%2fgoogle%2ecom
  3. You'll get redirected to


Open redirect vulnerability affecting doctors and admins.

Request PoC -->

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2f%2f%2f%09%2fgoogle%2ecom

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.