Escalating Open Redirect to XSS

Image Credit — StackHawk
  • Note that the search term ‘hacker’ was being reflected in the page.
  • Tried for XSS here in all possible ways. But couldn’t find one. So I thought of looking for Open Redirects.

Looking for Open Redirects

  1. In all the above mentioned instances, the victim is signed into his account.
  2. The ‘next’ parameter was added manually to the URL. You can also try manually adding others like ‘ ?continue= ’ , ‘ ?redirect_uri= ’ ,’ ?return=’ , ‘ ?go= ’ , ‘?continue_to=’ etc..
  3. sub.redacted.com in the next parameter can be any whitelisted SLD. Thus adding any subdomain of the target to it does the job.
  4. Using AND operator forces both the conditions to be true. Thus ‘javascipt:confirm(document.cookie)’ was also executed by the client side.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |