Summary

This article provides a guide on identifying and exploiting open redirect vulnerabilities on websites, with a focus on a real-world example that earned the author a bounty of over $500 in less than 10 minutes.

Abstract

The post titled "A $500+ Open Redirect Bounty in Under 10 Minutes" serves as a practical guide for cybersecurity enthusiasts, particularly those with limited experience, to detect and exploit open redirect vulnerabilities. The author illustrates the process by demonstrating how they identified such a vulnerability on 'redacted.com' by manipulating a URL redirection parameter after login. The article emphasizes the significance of this security flaw, its potential for abuse, and the importance of addressing it promptly. While open redirect is not classified as a critical P1 (Priority 1) vulnerability, it is still serious enough to be rated on the Vulnerability Rating Taxonomy (VRT) and can yield a substantial financial reward in bug bounty programs. The author also points readers to their GitHub repository, where they have shared scripts that can assist in bug hunting, and encourages further learning through additional resources on finding high-level security bugs.

Opinions

Open redirect vulnerabilities, though not the most critical, are valuable and can be lucrative for white-hat hackers.
The practice of including URL values in redirection parameters can lead to security vulnerabilities and should be approached with caution.
Modifying URL redirection parameters can be a simple yet effective method for exploiting open redirect vulnerabilities.
The author emphasizes the importance of acting quickly to fix open redirect issues to prevent potential harm to users.
Exploiting open redirect vulnerabilities ethically (white-hat) is encouraged, and the author provides tools and resources to support this practice.
The author suggests that by chaining other exploits with an open redirect, one might increase the severity and potential payout of the vulnerability report.
The author values community feedback and interest, inviting readers to engage with their content on Medium and visit their personal website for more information.

A $500+ Open Redirect Bounty in Under 10 Minutes

This post is a quick guide on how to utilize the Open Redirect bug on any sites you test, including a real-world step-by-step.

Open redirect isn’t tough to find if you know what you’re looking for. To determine if you should even try and find bugs on a site as a somewhat unexperienced cybersecurity enthusiast, take a look at my other post →

Finding P1 Vulnerabilities: A Step by Step Guide

Today, we’ll take a look at some of the most critical vulnerabilities, and how to exploit them.

medium.com

If you’re on the second step of that article, or in other words you’ve done a few tests and determined you might have an open redirect vulnerability, continue reading for my steps on exploiting it (legally).

I’ll be referring to the site as ‘redacted.com’, in accordance with certain privacy-related requests.

Surfing redacted.com, there was a URL like this:

https://www.redacted.com/en_US/login&redirect=https://redacted.com/en_US/home.html

The URL points to a login page upon a first glance, but taking a look at the rest you’ll see a parameter with a URL value for the redirection after login. Make note of it, as this practice can sometimes lead to vulnerabilities. In this case, it does, and it’s fairly simple to exploit.

Upon attempting to exploit the vulnerability for white-hat (the good guy) purposes, a test URL one might use could be this:

https://www.redacted.com/en_US/login&redirect=https://evil.com

Going more into detail, we’re now modifying the URL redirect parameter in order to send a different request when the victim clicks on the link. Instead of forwarding them to the harmless and intended

https://redacted.com/en_US/home.html

it now forwards them to the potentially harmful

https://evil.com

This is a pretty significant issue, and could lead to a lot of malicious and dangerous consequences. It’s best to address and fix this issue as soon as possible, as the longer it’s exploitable the more potential regular users have to become victims.

While it isn’t a critical P1 bug, it’s one that’s definitely on the VRT (Vulnerability Rating Taxonomy) for some $$$. Depending on the severity, you might earn more money if you can chain other exploits, but an open redirect is a great bug by itself. I’ve got a few scripts that can help with bug hunting on my Github, feel free to check them out →

GitHub - grahamzemel/WebHeckScanner: A hacking tool for bug bounties. Sharing and modifying is…

Written by Graham Zemel, using Nikto, Nuclei, Sqlmap, Anew, Gau, and more! Sqlmap, a tool for testing sql injection…

github.com

If you’d like to learn about finding even higher level bugs (P1 even), check out these two posts:

Finding P1 Vulnerabilities: A Step by Step Guide

Today, we’ll take a look at some of the most critical vulnerabilities, and how to exploit them.

medium.com

Finding P1 Vulnerabilities: Tools & Resources

The second, more in-depth part of ‘Finding P1 Vulnerabilities: A Step by Step Guide’.

medium.com

If you learned something new or want to see more posts like this, check out The Gray Area. Give a few claps to let me know I should post similar content, and check out grahamzemel.xyz for more information on who I am as a writer and developer. Thanks!