FirstBlood-#63Open redirect on logout
This issue was discovered on FirstBlood v1



On 2021-05-09, 0xSaltyHash Level 3 reported:

Summary:

The ?ref= parameter on /drpanel/logout endpoint is vulnerable to open redirect, normally if you try and go to http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=https://google.com/ you get redirected to an invalid page so i tried prepending // to the redirect uri and finally i got a redirect to different origin.

POC:

http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=//https://google.com/.

P4 Low

Endpoint: /drpanel/logout.php?ref=

Parameter: ref=

Payload: http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=//https://google.com/


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.