A little open redirect bypass story


In one private program at Bugcrowd, I came across three different open redirect bug methods.

First

This is effortless open redirect vulnerability as follows and I reported it to company.

https://companyx.com/redirect?url=http://mert.ninja

Then they marked as "Triaged" and "Unresolved" the bug. After a while they marked as "Resolved" and rewarded me.


Second

Also asked me to check their fix. I noticed bypass technique when checking it with back slash(\) char as follows.

https://companyx.com/redirect?url=https://mert.ninja\.companyx.com

So firstly I tried add subdomain that includes forward slash(/) char like this mert.ninja/.companyx.com but it is not successful. Because they were checking the subdomain's chars and blocked me for forward slash char. But they didn't blocked me when I use back slash char in subdomain. (Trick: Browsers convert to forward slash char when it saw back slash char.)

Then I reported again and they replied me as follows.

Hi Mert, I really appreciate you taking a look at this submission to check the fix. You are right that the fix wasn't complete. We'll be pushing a fix.


Third

After a while they marked as "Resolved" it and I started tampering it again. I spent ~15 minutes and I thought it fixed but I came across with a bug for this prevention then I bypassed again with successfully as follows.

https://companyx.com/redirect?url=https://mertcompanyx.com

If I add anything to head of the domain, open redirect was working again. So attacker can register a domain like attackercompanyx.com, attacker-companyx etc. He can still use it as a phishing attack. I reported them again this technique and they replied as follows.

Sure enough. Thanks again. Your definitely gonna get an invite to our always on program:). Appreciate the retest!

It sounds good, nice community! #bugbounty

(Maybe over, may be it's not yet.)