a little open redirect bypass story


in one private program at bugcrowd, i came across three different open redirect bug methods.

first

this is effortless open redirect vulnerability as follows and i reported it to the company.

https://companyx.com/redirect?url=http://mert.ninja

then they marked as "triaged" and "unresolved" the bug. after a while they marked as "resolved" and rewarded me.


second

also asked me to check their fix. i noticed bypass technique when checking it with back slash(\) char as follows.

https://companyx.com/redirect?url=https://mert.ninja\.companyx.com

so firstly i tried add subdomain that includes forward slash(/) char like this mert.ninja/.companyx.com but it is not successful. because they were checking the subdomain's chars and blocked me for forward slash char. but they didn't blocked me when i use back slash char in subdomain. (trick: browsers convert to forward slash char when it saw back slash char.)

then i reported again and they replied me as follows.

Hi Mert, I really appreciate you taking a look at this submission to check the fix. You are right that the fix wasn't complete. We'll be pushing a fix.


third

after a while they marked as "resolved" it and i started tampering it again. i spent ~15 minutes and i thought it fixed but i came across with a bug for this prevention then i bypassed again with successfully as follows.

https://companyx.com/redirect?url=https://mertcompanyx.com

if i add anything to head of the domain, open redirect was working again. so attacker can register a domain like attackercompanyx.com, attacker-companyx etc. he can still use it as a phishing attack. i reported them again this technique and they replied as follows.

Sure enough. Thanks again. Your definitely gonna get an invite to our always on program:). Appreciate the retest!

it sounds good, nice community! #bugbounty

(maybe over, may be it's not yet.)