Writeups

Showmax - Unvalidated Redirect and XSS

Researcher discovered an unvalidated redirect on a Showmax in a payment method flow. Researcher received an email advertising Showmax 14 day free trial. Clicking the link directed the researcher to a payment page. In on of the HTTP request bodies the following URL was found. The URL parameter redirection_url was found to not only be vulnerable to unvalidated redirects, but also to XSS.

https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://payu.co.za.....

Changing the redirection_url to google will redirect the user to google. Changing the parameter to contain the XSS payload javascript:%250Aalert(1) will trigger reflected XSS.

https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://google.com to https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=javascript:%250Aalert(1)

Researcher thankfully provided a detailed blog post here:

Upserve URL Pathway

Researcher discovered unvalidated redirect on URL https://inventory.upserve.com/ in the applications root URL path. Appending any URL to the URL will redirect the user there. Thus the following URL redirects to google:

https://inventory.upserve.com/http://google.com/

Hanno

Researcher discovered Open Redirect on endpoint https://blog.fuzzing-project.org/exit.php?url= <url>. The HTTP URL parameter url is vulnerable, supplying any attacker controlled site to the parameter will redirect the user there.

Entering the following URL into a web browser would redirect the user to google.com:

https://blog.fuzzing-project.org/exit.php?url=google.com

Others

PreviousUnvalidated Redirects and Forwards NextSource Code Examples

Last updated 3 years ago