Open Redirect >> XSS
How I found Open Redirect which could be escalated to XSS and potential Account takeover
Last updated
Was this helpful?
How I found Open Redirect which could be escalated to XSS and potential Account takeover
Last updated
Was this helpful?
I was hunting for IDORs for a really long time on this particular target but it was quite secure against IDOR. I was trying to make an unauthenticated action on an account with another account to get horizontal privelege escalation thorough IDOR. But it redirected to the login page for confirming authentication.
However I noticed that the login URL was something like : https://target.com/login?next=/endpoint
So now I have a new parameter to test I started the XSS automation in the background on this endpoint Then I started testing for Open Redirect.
On Logging in through https://target.com/login?next=https://google.com It was not redirecting but on login using : https://target.com/login?next=/profile , it was redirecting to user profile
This means that whitelisting is being used. i.e. redirection is only allowed on *.target.com. I did some research on how to bypass such restrictions. Then I came to my all time favorite repository for payloads:
I tried these whitelisting filter bypassing techniques one by one and after many tries I logged in using: https://target.com/login?next=\/\/google.com/ And as soon as I logged in, it redirected me to google.com
The significance of "\/\/" is that the browser considers "\/" as "//"
This can be further escalated to XSS. Host a script on your server that extracts user cookies. ?next=\/\/javascript%3A%2F%2F%250Aalert(document.domain);
When a user logs in using this link, you will get their session cookies on your server. To learn more about this, refer: You can then use these cookies to imitate the user. Full Account takeover
Hope you liked it :) . Feedbacks are always welcomed.