FirstBlood-#15 — Open Url redirection
This issue was discovered on FirstBlood v1
On 2021-05-09, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Open URL Redirection is active on the above submitted endpoint.
Steps:
- Login to /login.php using the provided credentials.
- Click on securely logout and intercept the request.
- Provide the payload /\/\evil.com to the vulnerable parameter ?ref=
- Forward the request and Boom the redirection follows to the provided url.
Impact:
Attacker can redirect the victim to desired malicious web page .
P4 Low
Endpoint: /drpanel/logout.php?ref=/\/\evil.com
Parameter: ref=
Payload: /\/\evil.com
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.
Report Feedback
Creator & Administrator
Nice work d20s84 :) Enjoy the bounty!