This time I am going to write up an open redirect bug I found in a private program. The bug itself was a low-hanging fruit, but the process of reporting it is funny enough.
First, lets’ talk about the bug itself. ?
Let’s call the domain example.com. I got myself started by registering an account and poking around. Then I found an URL :
“Time to test for open redirect.” I told myself.
I didn’t expect anything, instead I just gave it a try and see what would happen. Then my url bar became
and my browser throws error message to me.
That was the moment I knew that I can exploit it. The value of the second next parameter was not filtered as the first one did. %2C is just a comma, so the mechanism of example.com handling this request is basically joining two next with a comma without filtering the second one.
So what if I do it in this way?
Note that there is a “@” in the second parameter now. So ends up example.com will redirect me to https://example.com,@google.com, which is in fact going to google.com. So a successful open redirect for me to report now. (I have tried to dig deeper and leverage it to more severe bug, bug I failed ? )
On the second day, I was told that it was a duplicate and the bug was fixed. ? . But a thought came into my mind: Why don’t you check if they have TOTALLY fixed it ? Maybe they have made some other mistakes during fixing!
So I go for a check. I tried a lots of payloads on the login URL as above, but I could not exploit it anymore. I started to convince myself that they have fixed it well and no more open redirect bugs for me.
Wait, “no more open redirect bugs”? I can check other endpoints for open redirect bugs!
So, instead of the login page (which is fixed), I tried on the signup page like:
and I succeed!
So the conclusion is, their developers forgot the signup page when they were fixing the login page.
Then I got the bounty. Developers are lazy, or maybe just busy.
Bounty rewarded : $150
*Remarks: The bug bounty hunter who found the login page bug before me, he forgot to check for the same bug on the signup page too. LOLLL. Hunters are lazy too!
[Open redirect] Developers are lazy(or maybe busy) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.[Open redirect] Developers are lazy(or maybe busy)
InfoSec Write-ups – Medium