Top 25 Open Redirect Bug Bounty Reports
In this article, we will discuss Open Redirect vulnerability, how to find one and present 25 disclosed reports based on this issue.
What is Open Redirect?
Open Redirect is a vulnerability in which the attacker manipulates a web page to redirect the users to unknown destinations (malicious/phishing destinations in most of cases).
A common place where an Open Redirect occurs is in the URL, through a parameter value that can be tampered and set to the attacker’s website. For example:
Some people consider that this security issue has a low impact, some of them consider it a medium risk and there are many that does not even consider this an issue.
A cyber security expert must be aware of the possible impacts that such a vulnerability can have if it is being exploited. It is primary used in phishing campaigns to bypass filtering and detection, but can be used as a valuable node in many complex attacks that rely on cyber kill chains that will have a huge impact against its targets (example: Accounts Takeover through OAuth Open Redirect).
Types of Open Redirect
- Reflected: the redirection is being made based on a parameter value set through the URL. It is the most common form of Open Redirection. Some URL parameters that are used to handle redirections:
2. Stored: the redirection function/script is stored on the web application through the attacker’s input. All the users that visits the vulnerable and exploited page, will be redirected to the attacker’s website.
3. DOM-Based: it occurs when the application takes input and places it in a sink that redirects the user. Those sinks are the following:
How to test for Open Redirects
Use Google dorks and search for URLs that contains common redirection parameters.
Some applications verify the parameter value before redirection, so you should put some effort and bypass the filters and other mechanisms, using some tips from here:
Top 25 Open Redirect Bug Bounty Reports
The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.
Title: Open Redirect on central.uber.com allows for account takeover
Title: open redirect in rfc6749
Company: The Internet
Title: Reflected XSS via Unvalidated / Open Redirect in uber.com
Title: XSS and Open Redirect on MoPub Login
Title: Open redirect at https://inventory.upserve.com/http://google.com/
Title: [dev.twitter.com] XSS and Open Redirect
Title: [dev.twitter.com] XSS and Open Redirect Protection Bypass
Title: (BYPASS) Open redirect and XSS in supporthiring.shopify.com
Title: Open redirect on https://hq-api.upserve.com/
Title: Trick make all fixed open redirect links vulnerable again
Title: Open redirect at app.goodhire.com via ReturnUrl parameter
Title: Open Redirect in secure.showmax.com
Title: Open redirect
Title: [keybase.io] Open Redirect
Title: Open redirect in bulk edit
Title: CBC “cut and paste” attack may cause Open Redirect(even XSS)
Title: Open redirect using theme install
Title: Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor
Title: XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth
Title: Open redirect using checkout_url
Title: Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session
Title: Open Redirect on slack.com
Title: Open Redirect in riders.uber.com
Title: Open Redirect (verkkopalvelu.lahitapiola.fi)
Bonus: 10 Zero Dollars Open Redirect Reports
Title: Open Redirection in Login — Korean Starbucks
Title: Open redirect vuln on login
Title: (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation
Title: Open redirect vulnerability in index.php
Title: Open Redirect on Gitlab Oauth leading to Acount Takeover
Title: Open Redirection in [https://www.hackerone.com/index.php]
Title: [http2.cloudflare.com] Open Redirect
Title: Open redirect bypass & SSRF Security Vulnerability
Title: Open redirect on the https://tt.hboeck.de
Company: Hanno’s project
Title: http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement
I would like to thank you for your attention and I wish everybody good luck in their future findings!