FirstBlood-#833[BYPASS] Open URL Redirect on /drpanel/logout.php
This issue was discovered on FirstBlood v2

On 2021-10-29, buraaq Level 2 reported:

Hello zseano,


I have found a bypass to the Open redirect on /drpanel/logout.php?ref=.

Bypass filter

As we look at last hackevent's payload //https:\/\/ Patrice has tried to filter two consecutive // to avoid OR but it can be bypassed easily by tab char %09, but the browser ignores it and joins them.

Payload "/%09/" ---> / / ---> //

Steps to reproduce
  1. As a logged in Doctor, click on the securely sign out button to logout.
  2. Notice the endpoint has a ref variable.
  3. If you submit the following payload, the application will redirect the user to the url provided by the payload:


A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Kind regards,


P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.