FirstBlood-#586 — Open Redirect on logout.php endpoint [Bypass]
This issue was discovered on FirstBlood v2
On 2021-10-26, holybugx reported:
The developer tried to fix the previously reported Open Redirect by converting
.However, this issue has not been properly patched, and an attacker can bypass this.
Steps To Reproduce
- Use the following payload to bypass the checks:
%09is the URL Encoded value of the tab character
- This payload only works on Chromium-Based browsers.
- Open Redirect leading to various phishing attacks.
- Implement proper URL Validators.
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.