# Writeups

## Showmax - Unvalidated Redirect and XSS 

{% embed url="<https://hackerone.com/reports/749338>" %}

Researcher discovered an unvalidated redirect on a Showmax in a payment method flow. Researcher received an email advertising Showmax 14 day free trial. Clicking the link directed the researcher to a payment page. In on of the HTTP request bodies the following URL was found. The URL parameter redirection\_url was found to not only be vulnerable to unvalidated redirects, but also to XSS. &#x20;

`https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://payu.co.za.....`

Changing the redirection\_url to google will redirect the user to google. Changing the parameter to contain the XSS payload `javascript:%250Aalert(1)` will trigger reflected XSS.&#x20;

```
https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=https://google.com to https://secure.showmax.com/v97.3/website/payment/subscriptions/zooz_card/three_d_secure?redirection_url=javascript:%250Aalert(1)
```

![Reflected XSS ](/files/-MRSIRZA4N9VPj327EZf)

Researcher thankfully provided a detailed blog post here:&#x20;

{% embed url="<https://medium.com/@ahmadbrainworks/bug-bounty-how-i-earned-550-in-less-than-5-minutes-open-redirect-chained-with-rxss-8957979070e5>" %}

## Upserve URL Pathway&#x20;

{% embed url="<https://hackerone.com/reports/469803>" %}

Researcher discovered unvalidated redirect on URL `https://inventory.upserve.com/` in the applications root URL path. Appending any URL to the URL will redirect the user there. Thus the following URL redirects to google:&#x20;

`https://inventory.upserve.com/http://google.com/`

## Hanno

{% embed url="<https://hackerone.com/reports/373916>" %}

Researcher discovered Open Redirect on endpoint `https://blog.fuzzing-project.org/exit.php?url=` \<url>. The HTTP URL parameter *url* is vulnerable, supplying any attacker controlled site to the parameter will redirect the user there.&#x20;

Entering the following URL into a web browser would redirect the user to google.com:

```
https://blog.fuzzing-project.org/exit.php?url=google.com
```

## Others

{% embed url="<https://devcraft.io/2020/10/19/github-gist-account-takeover.html>" %}

{% embed url="<http://ngailong.com/uber-login-csrf-open-redirect-account-takeover/>" %}

{% embed url="<https://xpoc.pro/oauth-authentication-bypass-on-airbnb-acquisition-using-weird-1-char-open-redirect/>" %}

{% embed url="<https://buer.haus/2017/03/09/airbnb-chaining-third-party-open-redirect-into-server-side-request-forgery-ssrf-via-liveperson-chat/>" %}

{% embed url="<https://www.seekurity.com/blog/write-ups/godaddy-xss-affects-parked-domains-redirector-processor/>" %}

{% embed url="<https://www.mohamedharon.com/2019/02/still-work-redirect-yahoo-subdomain-xss.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://evanluke.gitbook.io/appsec/url-redirect/invalidated-redirect/open-redirect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.