Ahmad Halabi
Published On: 14 Jul 2020
Open Redirect
Open Redirect
Private | Web
---
MEDIUM VALIDThis is a writeup about an easy open redirect vulnerability that I found in a private program.
Description
The target website was not validating the redirects on the parameter `redirect` which allowed unvalidated redirects and forwards to other websites.
Impact
Attacker is able to redirect victims from the main website to malicious websites and steal their credentials or perform other sensitive actions.
Reproduction Steps
Step
1
The vulerable url was in this form: https://www.privatewebsite.com/acknowledgement.jsp?redirect=https%3A%2F%2Fahmadhalabi.net%2F
Step
2
Send the vulnerable url to the victim. Once the victim visited it, he will be redirected to attacker's page.
Timeline
VALID
Ahmad
12 Dec 2019
Private
12 Dec 2019
Private
10 Jul 2020