Top 25 Open Redirect Bug Bounty Reports

Cristian Cornea
4 min readMar 27, 2020

--

In this article, we will discuss Open Redirect vulnerability, how to find one and present 25 disclosed reports based on this issue.

What is Open Redirect?

Open Redirect is a vulnerability in which the attacker manipulates a web page to redirect the users to unknown destinations (malicious/phishing destinations in most of cases).

A common place where an Open Redirect occurs is in the URL, through a parameter value that can be tampered and set to the attacker’s website. For example:

https://medium.com/r/?url=https://phising-malicious.com

An Open Redirect can very easily lead to a Cross-Site Scripting (XSS) that steals their cookies by redirecting the user to a JavaScript payload, like the one below:

https://medium.com/r/?url=javascript:alert(document.cookie)

Some people consider that this security issue has a low impact, some of them consider it a medium risk and there are many that does not even consider this an issue.

A cyber security expert must be aware of the possible impacts that such a vulnerability can have if it is being exploited. It is primary used in phishing campaigns to bypass filtering and detection, but can be used as a valuable node in many complex attacks that rely on cyber kill chains that will have a huge impact against its targets (example: Accounts Takeover through OAuth Open Redirect).

Types of Open Redirect

  1. Reflected: the redirection is being made based on a parameter value set through the URL. It is the most common form of Open Redirection. Some URL parameters that are used to handle redirections:
url
rurl
u
next
link
lnk
go
target
dest
destination
redir
redirect_uri
redirect_url
redirect
r
view
loginto
image_url
return
returnTo
return_to
continue
return_path
path

2. Stored: the redirection function/script is stored on the web application through the attacker’s input. All the users that visits the vulnerable and exploited page, will be redirected to the attacker’s website.

3. DOM-Based: it occurs when the application takes input and places it in a sink that redirects the user. Those sinks are the following:

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
jQuery.ajax()
$.ajax()
XMLHttpRequest.open()
XMLHttpRequest.send()

How to test for Open Redirects

Use Google dorks and search for URLs that contains common redirection parameters.

Some applications verify the parameter value before redirection, so you should put some effort and bypass the filters and other mechanisms, using some tips from here:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect

Top 25 Open Redirect Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: Open Redirect on central.uber.com allows for account takeover

Company: Uber

Bounty: $8,000

Link: https://hackerone.com/reports/206591

#2

Title: open redirect in rfc6749

Company: The Internet

Bounty: $3,000

Link: https://hackerone.com/reports/26962

#3

Title: Reflected XSS via Unvalidated / Open Redirect in uber.com

Company: Uber

Bounty: $3,000

Link: https://hackerone.com/reports/125791

#4

Title: XSS and Open Redirect on MoPub Login

Company: Twitter

Bounty: $1,540

Link: https://hackerone.com/reports/683298

#5

Title: Open redirect at https://inventory.upserve.com/http://google.com/

Company: Upserve

Bounty: $1,200

Link: https://hackerone.com/reports/469803

#6

Title: [dev.twitter.com] XSS and Open Redirect

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/260744

#7

Title: Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/499348

#8

Title: [dev.twitter.com] XSS and Open Redirect Protection Bypass

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/330008

#9

Title: (BYPASS) Open redirect and XSS in supporthiring.shopify.com

Company: Shopify

Bounty: $1,000

Link: https://hackerone.com/reports/158434

#10

Title: Open redirect on https://hq-api.upserve.com/

Company: Upserve

Bounty: $1,000

Link: https://hackerone.com/reports/497664

#11

Title: Trick make all fixed open redirect links vulnerable again

Company: Slack

Bounty: $1,000

Link: https://hackerone.com/reports/104087

#12

Title: Open redirect at app.goodhire.com via ReturnUrl parameter

Company: Inflection

Bounty: $750

Link: https://hackerone.com/reports/240091

#13

Title: Open Redirect in secure.showmax.com

Company: Showmax

Bounty: $550

Link: https://hackerone.com/reports/749338

#14

Title: Open redirect

Company: NordVPN

Bounty: $500

Link: https://hackerone.com/reports/753399

#15

Title: [keybase.io] Open Redirect

Company: Keybase

Bounty: $500

Link: https://hackerone.com/reports/87027

#16

Title: Open redirect in bulk edit

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/169759

#17

Title: CBC “cut and paste” attack may cause Open Redirect(even XSS)

Company: Uber

Bounty: $500

Link: https://hackerone.com/reports/126203

#18

Title: Open redirect using theme install

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/101962

#19

Title: Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/165046

#20

Title: XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth

Company: Mapbox

Bounty: $500

Link: https://hackerone.com/reports/143240

#21

Title: Open redirect using checkout_url

Company: Shopify

Bounty: $500

Link: https://hackerone.com/reports/159522

#22

Title: Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session

Company: HackerOne

Bounty: $500

Link: https://hackerone.com/reports/111968

#23

Title: Open Redirect on slack.com

Company: Slack

Bounty: $500

Link: https://hackerone.com/reports/140447

#24

Title: Open Redirect in riders.uber.com

Company: Uber

Bounty: $500

Link: https://hackerone.com/reports/125003

#25

Title: Open Redirect (verkkopalvelu.lahitapiola.fi)

Company: LocalTapiola

Bounty: $400

Link: https://hackerone.com/reports/179328

Bonus: 10 Zero Dollars Open Redirect Reports

#1

Title: Open Redirection in Login — Korean Starbucks

Company: Starbucks

Bounty: $0

Link: https://hackerone.com/reports/380939

#2

Title: Open redirect vuln on login

Company: ZEIT

Bounty: $0

Link: https://hackerone.com/reports/608031

#3

Title: (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/171398

#4

Title: Open redirect vulnerability in index.php

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/439075

#5

Title: Open Redirect on Gitlab Oauth leading to Acount Takeover

Company: ZEIT

Bounty: $0

Link: https://hackerone.com/reports/677617

#6

Title: Open Redirection in [https://www.hackerone.com/index.php]

Company: HackerOne

Bounty: $0

Link: https://hackerone.com/reports/562417

#7

Title: [http2.cloudflare.com] Open Redirect

Company: Cloudflare

Bounty: $0

Link: https://hackerone.com/reports/193027

#8

Title: Open redirect bypass & SSRF Security Vulnerability

Company: Smule

Bounty: $0

Link: https://hackerone.com/reports/771465

#9

Title: Open redirect on the https://tt.hboeck.de

Company: Hanno’s project

Bounty: $0

Link: https://hackerone.com/reports/503922

#10

Title: http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement

Company: Nextcloud

Bounty: $0

Link: https://hackerone.com/reports/209520

I would like to thank you for your attention and I wish everybody good luck in their future findings!

--

--

Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | SectionX.io | BSides Transylvania