Escalating Open Redirect to XSS

Sagar Sajeev
2 min readAug 13, 2022

--

Hello everyone. Myself Sagar Sajeev.

In this writeup, I’ll discuss a how I was able to find a Open Redirect on a target website and escalate it to a XSS, thereby increasing the severity.

Image Credit — StackHawk

Let the target domain be:-

“https://www.radacted.com/resources?search=hacker”

  • Note that the search term ‘hacker’ was being reflected in the page.
  • Tried for XSS here in all possible ways. But couldn’t find one. So I thought of looking for Open Redirects.

Looking for Open Redirects

https://redacted.com/resources?next=sub.redacted.com&next=javascript:confirm(document.cookie)

So when a victim clicks on this link, he will be redirected to sub.redacted.com and within a second or 2, the XSS payload will be triggered.

Note:-

  1. In all the above mentioned instances, the victim is signed into his account.
  2. The ‘next’ parameter was added manually to the URL. You can also try manually adding others like ‘ ?continue= ’ , ‘ ?redirect_uri= ’ ,’ ?return=’ , ‘ ?go= ’ , ‘?continue_to=’ etc..
  3. sub.redacted.com in the next parameter can be any whitelisted SLD. Thus adding any subdomain of the target to it does the job.
  4. Using AND operator forces both the conditions to be true. Thus ‘javascipt:confirm(document.cookie)’ was also executed by the client side.

Tip : Also try URL-encoding (or even double URL-encode) the operators like &. This may help in bypassing certain front-end restrictions.

Timeline

Submitted : 04–08–2022

Accepted : 05–08–2022

I do occasionally share some tips about Bug Bounties and related stuff over at my Twitter and LinkedIn handle. So do follow me there. If you’ve got any queries, feel free to message me. I will be more than happy to help.

LinkedIn : https://www.linkedin.com/in/sagar-sajeev-663491208/

Twitter : https://twitter.com/Sagar__Sajeev

Thanks for going through my writeup and I hope it was useful to you. I’ve made 6 other writeups on my Medium handle. Please do check those out as well.

Happy Hunting!

--

--

Sagar Sajeev
Sagar Sajeev

Written by Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter

Responses (2)