FirstBlood-#718 — Open redirect by logout.php
This issue was discovered on FirstBlood v2
On 2021-10-27, newrouge Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey, i found that endpoint /drpanel/logou.php?ref= is still vulnerable to Open redirect.
-
Developer seemed to have made some fixes to stop redirect. But it's still vulnerable to open redirect with bypasses.
-
payloads like \/\/google.com are filtered unlike previous time, but /%09/google.com bypasses the filter.
-
Send this url https://07fd5a4e51cb-newrouge.a.firstbloodhackers.com/drpanel/logout.php?ref=%2f%0d%2fgoogle.com
to victim and he will be redirected to google.com.
PS: This payload works fine on Chrome, Chromium, Brave and IE but *not on Firefox**
Thanks
newrouge
P4 Low
Endpoint: /drpanel/logout.php?ref=/%09/example.com
Parameter: ?ref=
Payload: /%09/example.com
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.