FirstBlood-#63 — Open redirect on logout
This issue was discovered on FirstBlood v1
On 2021-05-09, 0xSaltyHash Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
The ?ref= parameter on /drpanel/logout endpoint is vulnerable to open redirect, normally if you try and go to http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=https://google.com/ you get redirected to an invalid page so i tried prepending // to the redirect uri and finally i got a redirect to different origin.
POC:
http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=//https://google.com/.
P4 Low
Endpoint: /drpanel/logout.php?ref=
Parameter: ref=
Payload: http://firstbloodhackers.com:<PORT>/drpanel/logout.php?ref=//https://google.com/
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.