FirstBlood-#831Open Redirect at Doctor Panel
This issue was discovered on FirstBlood v2

On 2021-10-29, mrrootsec Level 2 reported:

Hello Zseano,Hope you are doing well


When logging out a doctor, the application does not properly validate the redirection. When the ref parameter value is changed, the application process it without any restrictions.

Steps to Reproduce the issue:

  1. Navigate to

  2. Login with Valid Credentials as a Doctor

  3. Now Choose securely Signout ,Capture this request into burp-suite and add this payload at ref parameter

  4. The application processed and the response will look like below, Location:

Impact :

  1. As an attacker i can redirect the user to malicious domain and can do malicious things

Remediation / Fix :

  1. When necessary, avoid using user-controllable data in URLs and carefully sanitise it
  2. Sanitize input by creating a list of trusted URLs (Allow only whitelisted approach)
  3. Force all redirects to go through a page that informs users that they are leaving your site.

References :


Thanks and Regards


P4 Low

Endpoint: /drpanel/logout.php

Parameter: ?ref

Payload: /%09/

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.