FirstBlood-#126 — Open Redirect /drpanel/logout.php
This issue was discovered on FirstBlood v1
On 2021-05-10, iffu Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
Hi zseano.. I've found an Open Redirect vulnerability on /drpanel/logout.php and the vulnerable paramter is 'ref'.
Steps to Reproduce
- While logging out from your admin account, you will notice the ref parameter in the URL.
- Simply inject the payload /\/www.evil.com in the value of ref parameter.
- Observe that you will be redirected to www.evil.com
Impact
Using this vulnerabiltity, an attacker can send a phishing mail to a victim user and the victim user thinks that it is a legitimate URL and can be trusted and puts his details. But, actually the application redirects him to attacker controlled domain which looks exactly like www.firstblood.com. If the user puts his details, his account may also be taken over
Thanks zseano for making this application. It makes me learn a lot how real world scenarios in bug hunting are.
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: /\/www.evil.com
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.