search

Writeups

hashtag
Showmax - Unvalidated Redirect and XSS

https://hackerone.com/reports/749338hackerone.comchevron-right

Researcher discovered an unvalidated redirect on a Showmax in a payment method flow. Researcher received an email advertising Showmax 14 day free trial. Clicking the link directed the researcher to a payment page. In on of the HTTP request bodies the following URL was found. The URL parameter redirection_url was found to not only be vulnerable to unvalidated redirects, but also to XSS.

https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://payu.co.za.....

Changing the redirection_url to google will redirect the user to google. Changing the parameter to contain the XSS payload javascript:%250Aalert(1) will trigger reflected XSS.

Reflected XSS

Researcher thankfully provided a detailed blog post here:

LogoBUG BOUNTY: How I earned $550 in less than 5 minutes. “Open Redirect chained with rXSS”Mediumchevron-right

hashtag
Upserve URL Pathway

LogoUpserve disclosed on HackerOne: Open redirect at...HackerOnechevron-right

Researcher discovered unvalidated redirect on URL https://inventory.upserve.com/ in the applications root URL path. Appending any URL to the URL will redirect the user there. Thus the following URL redirects to google:

https://inventory.upserve.com/http://google.com/

hashtag
Hanno

LogoHanno's projects disclosed on HackerOne: Open redirect on...HackerOnechevron-right

Researcher discovered Open Redirect on endpoint https://blog.fuzzing-project.org/exit.php?url= <url>. The HTTP URL parameter url is vulnerable, supplying any attacker controlled site to the parameter will redirect the user there.

Entering the following URL into a web browser would redirect the user to google.com:

hashtag
Others

GitHub Gist - Account takeover via open redirect - $10,000 Bountydevcraft.iochevron-right
http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/ngailong.comchevron-right
https://xpoc.pro/oauth-authentication-bypass-on-airbnb-acquisition-using-weird-1-char-open-redirect/xpoc.prochevron-right
LogoAirbnb - Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chatziotchevron-right
Godaddy XSS affects parked domains redirector/processor!Seekuritychevron-right
LogoУкраинские казино онлайн – топовые игры быстрые выплаты и ежедневные бонусыmohamedharon.com - Just another WordPress sitechevron-right

PreviousUnvalidated Redirects and ForwardsNextSource Code Examples

Last updated

Was this helpful?