The ref parameter is redirectable in the register.php path

FirstBlood-#537 — The ref parameter is redirectable in the register.php path
This issue was discovered on FirstBlood v2

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this bug & therefore it will not count towards unique bugs discovered. This may be because of the bug not working as intended and changes we made, something we do not consider an issue on BARKER, or the correct impact was not shown (For example only Open Redirect demonstrated when XSS was possible)

On 2021-10-26, axe Level 4 reported:


Summary


Through the report disclosed by V1, I found an unpatched redirect vulnerability in v2.


In reading other people's reports, I learned how they think about testing. I will expand on what I have learned!


Testing ideas
Open Redirect


Do a test on the parameter, e.g. xxx.php?xx1="><xss. Do a fuzz on the xx1 parameter and then look at the response in burp. By the response we can see that this ref parameter is working.



Visit /register.php?ref=/\/google.com


Click Return to previous page. successfully redirected to google.
 


After testing you can also redirect via parameter pollution:
`/register.php?ref=google.com&ref=//google.com`
Available payloads
/\/google.com
//google.com
////google.com
//%2F/yoursite.com
\/\/yoururl.com
//[email protected]
...
...
Vulnerability for exploitation
Open Redirect to SSRF(Test Failure)


I'm extending the application based on the redirect vulnerability. Change /\/google.com to n8w5dmbcdeg73bqwioriwy5p7gd61v.burpcollaborator.net


But in the end it was not exploited successfully. It was not possible to get the internal address.
 



I would very much like zseano to give me guidance advice.


Fixes

Whitelisting of domains is the most effective way to deal with redirects in my opinion.

Reference study material.


https://www.bugbountyhunter.com/vulnerability/?type=open_redirect


https://book.hacktricks.xyz/pentesting-web/open-redirect


https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/

This report has been publicly disclosed for everyone to view

P5 Informative

Endpoint: /register.php

Parameter: ref

Payload: /\/google.com

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback

@zseano

Creator & Administrator

Hi there, whilst you're correct that this parameter is vulnerable to open redirect, it is possible to redirect the user to javascript: which results in XSS which carries more impact. As such this is the intended solution/bug for this parameter. As open redirect was demonstrated in this report we won't reject but there wont be any ID assigned. With regards to the SSRF, this is just an open redirect which occurs client side, and not server side. For SSRF you need the server to initiate the request and to then follow the redirect :) Redirecting to your burp collaborator just means you are visiting it yourself (hence the request is received)

BugBountyHunter

Summary

Testing ideas

Open Redirect

After testing you can also redirect via parameter pollution:

Available payloads

Vulnerability for exploitation

Open Redirect to SSRF(Test Failure)

Fixes

Reference study material.

Report Feedback

@zseano