FirstBlood-#134 — Open redirect on /drpanel/logout.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I found an open redirect on logout.php. So far, I wasn't unfortunately been able to escalate it unfortunately. But if I do find another way to escalate this issue, I will make sure to update this report.
Proof of concept url
http://firstbloodhackers.com:49422/drpanel/logout.php?ref=/\/example.com
Steps to reproduce
- Visit the proof of concept url,
/drpanel/logout.php?ref=/\/example.com
- You'll see that it will redirect us to https://example.com . This happend because the filter checks for several things but not the host.
Have a nice day!
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /\/example.com
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.