in one private program at bugcrowd, i came across three different open redirect bug methods.
this is effortless open redirect vulnerability as follows and i reported it to the company.
then they marked as "triaged" and "unresolved" the bug. after a while they marked as "resolved" and rewarded me.
also asked me to check their fix. i noticed bypass technique when checking it with back slash(\) char as follows.
so firstly i tried add subdomain that includes forward slash(/) char like this
mert.ninja/.companyx.com but it is not successful. because they were checking the subdomain's chars and blocked me for forward slash char. but they didn't blocked me when i use back slash char in subdomain. (trick: browsers convert to forward slash char when it saw back slash char.)
then i reported again and they replied me as follows.
Hi Mert, I really appreciate you taking a look at this submission to check the fix. You are right that the fix wasn't complete. We'll be pushing a fix.
after a while they marked as "resolved" it and i started tampering it again. i spent ~15 minutes and i thought it fixed but i came across with a bug for this prevention then i bypassed again with successfully as follows.
if i add anything to head of the domain, open redirect was working again. so attacker can register a domain like
attacker-companyx etc. he can still use it as a phishing attack. i reported them again this technique and they replied as follows.
Sure enough. Thanks again. Your definitely gonna get an invite to our always on program:). Appreciate the retest!
it sounds good, nice community! #bugbounty
(maybe over, may be it's not yet.)