FirstBlood-#586Open Redirect on logout.php endpoint [Bypass]
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, holybugx Level 5 reported:

Description

Hello Sean,

The developer tried to fix the previously reported Open Redirect by converting \ to . However, this issue has not been properly patched, and an attacker can bypass this.

  • Before:

/drpanel/logout.php?ref=/\/attacker.com —Location—> //attacker.com

  • Now:

/drpanel/logout.php?ref=/\/attacker.com —Location—> /./attacker.com

Steps To Reproduce

  1. Use the following payload to bypass the checks:
/drpanel/logout.php?ref=/%09/attacker.com

Notes

  • The %09 is the URL Encoded value of the tab character
  • This payload only works on Chromium-Based browsers.

Impact

  • Open Redirect leading to various phishing attacks.

Remediation

  • Implement proper URL Validators.

Kind Regards,

HolyBugx

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/google.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.