In one private program at Bugcrowd, I came across three different open redirect bug methods.
This is effortless open redirect vulnerability as follows and I reported it to company.
Then they marked as "Triaged" and "Unresolved" the bug. After a while they marked as "Resolved" and rewarded me.
Also asked me to check their fix. I noticed bypass technique when checking it with back slash(\) char as follows.
So firstly I tried add subdomain that includes forward slash(/) char like this
mert.ninja/.companyx.com but it is not successful. Because they were checking the subdomain's chars and blocked me for forward slash char. But they didn't blocked me when I use back slash char in subdomain. (Trick: Browsers convert to forward slash char when it saw back slash char.)
Then I reported again and they replied me as follows.
Hi Mert, I really appreciate you taking a look at this submission to check the fix. You are right that the fix wasn't complete. We'll be pushing a fix.
After a while they marked as "Resolved" it and I started tampering it again. I spent ~15 minutes and I thought it fixed but I came across with a bug for this prevention then I bypassed again with successfully as follows.
If I add anything to head of the domain, open redirect was working again. So attacker can register a domain like
attacker-companyx etc. He can still use it as a phishing attack. I reported them again this technique and they replied as follows.
Sure enough. Thanks again. Your definitely gonna get an invite to our always on program:). Appreciate the retest!
It sounds good, nice community! #bugbounty
(Maybe over, may be it's not yet.)