FirstBlood-#1406Open redirect
This issue was discovered on FirstBlood v3



On 2022-12-09, lumbridge7 Level 4 reported:

Hello firstblood team!

Summary

The endpoint /book-appointment.html and /about.html automatically redirects to a php page.

  • book-appointment.html -> book-appointment.php
  • about.html -> about.php

If we intercept this request to analyse the source code of the html file we can see a script setting the top.location to the parameter redirect_url

this is the script at the source code:


    var curUrl = window.location.search;
    var params = new URLSearchParams(curUrl);
    var redirect_url = params.get('redirect_url');

    if (redirect_url == null) {
        top.location.href='book-appointment.php';
    } else {
         top.location.href=redirect_url;
    }

based on that I tried to see if it would accept any random url to exploit an open redirect by appending ?redirect_url=http://evil.com to the url and it worked! it redirects to http://evil.com.

Steps to reproduce

  1. access the url https://e7d63648c859-lumbridge7.a.firstbloodhackers.com/book-appointment.html?redirect_url=http://evil.com
  2. you'll be automatically be redirected to http://evil.com

Remediation

To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains

P5 Informative

Endpoint: /book-appointment.html, /about.html

Parameter: redirect_url

Payload: redirect_url=http://evil.com

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback

@zseano

Creator & Administrator


Hi there, more than open url redirect was possible on this endpoint (such as XSS via the Javascript URI), so this report will be accepted as informative