FirstBlood-#47 — Open redirect on the logout.php endpoint [COLLAB]
This issue was discovered on FirstBlood v1
On 2021-05-09, holybugx Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
Hi Sean,
I just found out that there is an open redirect vulnerability on the /drpanel/logout.php endpoint using the ref parameter.
That enables an attacker to redirects the admin/users to the domain he wants.
Steps To Reproduce
There were some protections and filtering around the ref parameter, seems like // were filtered out and you would have been redirected to /, however, using /\/ I was able to bypass the filter and redirect the user to another domain
You can use the following payload to reproduce this redirect to your own domain:
/drpanel/logout.php?ref=/\/attacker.com
Impact
I wasn't able to find any SSO tokens or similar in the URL that could be potentially leaked using this open redirect, for now, the impact is just simply redirecting the user to another domain of attacker and doing phishing, however, keeping that in mind I will try to use that, later on, to bypass some protections over higher impact bugs such as SSRF.
Kind Regards,
HolyBugx
P4 Low
Endpoint: /drpanel/logout.php?ref=/
Parameter: ref
Payload: /\/attacker.com
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.