Bug Bounty: Hunting Open Redirect Vulnerabilities For $$$
This article was originally published at BePractical
INTRODUCTION
Do you know that you can earn up to $1000 by finding open redirect vulnerabilities? Well, it turns out that most people underestimate open redirect vulnerabilities because of its nature. For those who doesn’t know about open redirect vulnerability, It is a web application vulnerability that allows an attacker to redirect users from the original website to the attacker’s controlled domain. The normal impact can be used to perform phishing attacks which to lead to more vulnerability. However, it can lead to complete account takeover if found in sensitive functionalities like OAuth, etc.
For example, A hacker was able to perform account takeover with the help of open redirection vulnerability. You can read more about it here. We can also escalate this vulnerability to perform cross site scripting vulnerability.
In this article, we are going to learn how to find open redirect vulnerabilities on live websites. So, let’s get started
Annonucement: If you want to learn how hackers hack millions of accounts on a website, Then check out this beginner friendly course which will teach you how to perform account takeovers in real world websites that will boost your bug bounty hunting skills from basics to advance level.
WHAT ARE OPEN REDIRECT VULNERABILITIES?
As the name suggest, it gives an attacker the power to redirect users to redirect from legitimate domain to their malicious domain. To be more technical, Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way(Source: PortSwigger). Let’s take an example:
Suppose you are visiting Amazon to buy books. You visited the login page and provided your credentials. Now in normal case, you are supposed be redirected to your dashboard. But here, you get redirected to the attacker’s phishing website without any warning(If amazon was vulnerable). Since you don’t have any clue about this, you provided your credit card details for the purchase. Now the attacker owns your credit card information!
Now you must be thinking that “Well, i am well aware of phishing. I can easily distinguish the phishing page by validating the domain name.”. You are not wrong, but this is just a beginning of a storm. When exploited more maliciously, it could lead to account takeover without you even noticing by stealing your cookies.
There are many ways to find open redirect vulnerabilities. One simple way to identify open redirection vulnerability is:
- Find a parameter that is redirecting users. For example: ?returnURL=domain , ?dest=domain, ?return=domani , ?URL=domain etc.
- Pass any random url in the parameter’s value.(Like bing.com)
- If you get redirected to bing.com , then voila! You found the vulnerability.
- If not, then don’t loose hope. You will find it eventually.
Now using the steps above does not necessarily means that you will find the vulnerability. Sometimes there are various protection that we need to bypass in order to find open redirect vulnerability. Some of them are:
- If bing.com is blocked then try domain.com.bing.com.
- If ?vulnerableParameter=/batman then try to ?vulnerableParameter=.batman
- If attacker.com is blocked then try domain.com@attacker.com.
DEMONSTRATION
CONCLUSION
I hope you all understood about the basics of open redirect vulnerabilities and how we can find them on live websites. In the next article, we will learn some more ways to find open redirection on more secured web applications. If you have any doubts or issues then let me know in the comment section.
Join our telegram channel over here.
Check out our cybersecurity section for more amazing tutorials and articles.
Subscribe to our YouTube channel over here
