FirstBlood-#586Open Redirect on logout.php endpoint [Bypass]
This issue was discovered on FirstBlood v2

On 2021-10-26, holybugx Level 5 reported:


Hello Sean,

The developer tried to fix the previously reported Open Redirect by converting \ to . However, this issue has not been properly patched, and an attacker can bypass this.

  • Before:

/drpanel/logout.php?ref=/\/ —Location—> //

  • Now:

/drpanel/logout.php?ref=/\/ —Location—> /./

Steps To Reproduce

  1. Use the following payload to bypass the checks:


  • The %09 is the URL Encoded value of the tab character
  • This payload only works on Chromium-Based browsers.


  • Open Redirect leading to various phishing attacks.


  • Implement proper URL Validators.

Kind Regards,


P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.