Open Redirection to Reflected Cross-Site Scripting
Most of the time if you find open redirection on login functionality there are chances to escalate it to RXSS.
Hello Folks, In this article, I will explain how to escalate open redirection into RXSS.
What is Open Redirection?
If an application has a vulnerable redirection parameter, the attacker will try to add his/her own untrusted malicious domain, if an application redirects to the given untrusted page we call as an “Open Redirection”
By default the severity lies between medium or low-hanging fruit 🍎🍎
Let's get Started !!
This time the target has a very small scope, let's call this https://redirect.com
I started with creating the account using their own Sign-up options.
My testing usually starts from the Sign-up page itself, normal flow will be HTML Injection, HyperLink, and Weak Password Functionalities, Server-Side Template Injections Rate limiting, etc.
After creating of an account, I started visiting all the possible pages and by default, all the traffic will flow through the HTTP history of my Burp ( Keeping the Intercept Off )
After certain minutes of surfing the websites, I went to my burp window and by default in the pro edition we have a global search bar, there I started searching for common open redirection keywords such as redir=, url= , redirect=, next=, and I end up finding the URL which has a redirection parameter as ?redirection_url= and the target domain will look like:
https://redirec.com/login/?redirection_url=https%3A%2F%2Fredirect.com%2Fprofile
Immediately I changed redirection_url=https%3A%2F%2Fevil.com%2F
Then I logged in to the application, it got redirected to https://evil.com
Boom !!
Woooow! It worked…………………….
As I mentioned earlier open redirection is a low-hanging fruit 🍎🍎
I didn’t quit here;
I want to increase the impact and I again started testing.
I observed that the application was using the URL encoding, simply I crafted the javascript payload:
javascript:alert(1)
I used the online encoder to encode it before injecting it in the URL param.
The encoded payload will look like this;
When I hit enter !!
Then I got an XSS pop-up………………………
That’s great…..!! Yaayyyyyyyyy……..!!
Immediately I started making the report and got triaged !!
I found a similar kind of XSS via Open Redirect, please watch the below video POC 👇
Happy Hacking 🥂🥂
Thanks for reading.
Please follow me for more writeups.
