FirstBlood-#586 — Open Redirect on logout.php endpoint [Bypass]
This issue was discovered on FirstBlood v2
On 2021-10-26, holybugx Level 5 reported:
Description
Hello Sean,
The developer tried to fix the previously reported Open Redirect by converting \
to .
However, this issue has not been properly patched, and an attacker can bypass this.
- Before:
/drpanel/logout.php?ref=/\/attacker.com
—Location—> //attacker.com
- Now:
/drpanel/logout.php?ref=/\/attacker.com
—Location—> /./attacker.com
Steps To Reproduce
- Use the following payload to bypass the checks:
/drpanel/logout.php?ref=/%09/attacker.com
Notes
- The
%09
is the URL Encoded value of the tab character
- This payload only works on Chromium-Based browsers.
Impact
- Open Redirect leading to various phishing attacks.
Remediation
- Implement proper URL Validators.
Kind Regards,
HolyBugx
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /%09/google.com
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09
and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.