Open redirects can be an easy source for bug bounty, given that you get one. How to find them or exploit them? let’s have a look:
(before diving in, I would like to say that the information in this article is not meant to be abused for malicious purposes. I’ll be not responsible for any risks you take based on what you read in this article)
What are open redirects?
Open redirects are redirections based on the address provided in the URL. It is a normal thing to have redirects as long they are filtered, i.e., they are checked so that they can’t be tampered with, otherwise there is a possibility of redirecting to undesirable site (might be a phishing site ! 🤯)
For eg:
https://agreatandlegitsite.com/index.php?url=https://anotherlegitsite.com/
(sorry for the epicly lame names 😆)
So what happens when you use this site, it redirects you to the site set at url parameter. In this case, it is https://anotherlegitsite.com/
What happens if we replace it with a malicious site? Let’s say it looks just like the redirected site must look like, except it is not the original one. The user types in all the credentials and boom! This person’s account is compromised 😵
For eg,
https://agreatandlegitsite.com/index.php?url=https://
fakelookalikesite.com/
Here https://fakelookalikesite.com/ is the phishing or fake web site.
However, this can be prevented if the sites which can be redirected to, are mentioned in a whitelist. This way we can prevent misuse of the redirection feature.
Let’s have a look at the following URL:
https://agreatandlegitsite.com/login.php?url=https://anotherlegitsite.com/&client=2EFE24J3J3N3N2M
Hmm.. what is the second parameter client mean exactly? here in this example, it means that the site in question is using some sort of user auth token to check whether the redirection action will occur or not. If we can’t log in or don’t have enough privileges we will not be able to use the redirection anyways.
There can be an array of params stringed with & in the url. Other than the auth or redirect parameters others aren’t that relevant to our case.
Here let’s have a look at another URL:
https://agreatandlegitsite.com/login.php?url=https%3A%2F%2Fanotherlegitsite.com%2F&client%3D2EFE24J3J3N3N2M
Here everything is URL encoded. In cases like this if you’re inputting sites into redirection param, make sure they are URL encoded. You can find URL encoding sites easily on the web. Burp also has a feature for it in the decoder tab. Cyberchef also has a feature to do so.
I hope you found the article useful, and you might some bugs in online sites and report them to bug bounty programs. Cheers 🍻
Support me at: https://www.buymeacoffee.com/h4kr ✨
