FirstBlood-#564 — Open redirect inside drpanel/logout.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-26, neolex Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Description
There is an open redirect inside the following url : https://8745a5db48cf-neolex.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/evil.com
The value of ref is reflected inside Location header.
The payload must starts with / but // (two slashs) is filtered, you can bypass this filter by adding a tab %09 between both slash.
So using the following payload: /%09/evil.com the attacker can redirect user to evil.com
Step to reproduce
- Open the following url : https://8745a5db48cf-neolex.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/evil.com
- You are redirected to evil.com
Impact
The impact of this open redirection is that attacker can redirect the user to another webstie.
It can be useful for phishing.
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /%09/evil.com
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.