Find Your First Bug — #2 Open Redirect
Let’s learn to hack with open redirect.
After the 1st post of Find Your First Bug series I got so good responses and that made me to write more. Haha so let’s get straight into the subject.
According to Portswigger Open redirect is described as; Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
In simple words, you may seen some websites have links or buttons or anything that when we click redirect us to another page or website. If we can change the value of redirection url it is called Open redirect. So it’s simple to exploit and make a POC. Remember look at the Accepting vulnerabilities of the program, because some won’t pay you for Open redirect. It is not a big impact According to Bugcrowd VRT it is classified as
P5 bugs are considered as very low finding and only 5–10 % chance to get paid. But P4 will mostly pay you. This is how a GET based open redirect look like http://domain.com/redirect_to:http://another-domain.com You won’t see the parameter redirect_to on every redirect path. Many parameters are used the most common one’s that having a url to redirect to are given below
Open redirect works on url parameters and uri in params too. For example
http://victim.com/next=http://example.com — chance to open redirect
http://victim.com/next=index.php — there is also chance of open redirect, you just change the value of next to http://attacker.com
So try on every parameter and may be one works. This is always considered as a low finding but I thought this may help noobs like me to test first.
There is many ways to make the impact higher. by making open redirect to reflected xss, or by steel oauth keys with open redirect . Check those out and mostly try to chain your open redirect with other for better bug. You will get a big result when you just google “Open redirect chain”. Checkout the hackerone reports given below for getting an idea
- https://hackerone.com/reports/504751
- https://hackerone.com/reports/311330
- https://hackerone.com/reports/753399
- https://hackerone.com/reports/683298
- https://github.com/payloadbox/open-redirect-payload-list
If you like this post feel free to share to your other friends.
Check out my other posts https://medium.com/@iamj0ker
Ping me on twitter https://twitter.com/iam_j0ker
