Complex OPEN REDIRECT Exploitation

Hi readers,

I wrote about my first unique open redirect vulnerability in my previous write-up. You can find it here .

Today I would like to share my recent finding "another unique open redirect vulnerability which is little bit tricky to exploit".

Let’s get started ::

Target is a private program. So, lets call it as redacted.com

BRIEF INTRODUCTION ABOUT THE TARGET:

Target is a e-commerce website builder that offers web design and other business tools. Only two of its subdomains are in scope admin.redacted.com and api.redacted.com

After creating a new account, shop will be created based on our username like https://something.redacted.com

we can change the shop name to another available name if needed. whatever the name is, our shop URL will be like https://NAME.redacted.com

Exploitation : [ there are two stages here]

STAGE -1

After logging into the admin account , in > settings there is an option to change the email address.

If we change the email address , a PUT request is sent to the server with some json data in it something like -

{ “email”: “email@mail.com”,”shopname”:”https://shop.redacted.com”,xxxxxxxxx,xxxxxxxxxxx,xxxxxxxxxxxxxx,xxxxxxxxxxx,xxxxxxxx etc.,}

here no proper server side validation is done. So we can even change the complete shop name URL to any other domain like from

https://shop.redacted.com — — -> https://evil.com

Shop name will be updated in the dashboard as https://evil.com

(before changing the shop name save the old shop URL for future use)

POINT TO REMEMBER:

Even if we change the shop name to any other name still the old shop URL works fine.

let’s get back,

After changing the shop URL to any other domain our first stage of exploitation is completed

let’s get into stage -2

STAGE -2 :

As I said earlier, old shop URL still works fine.

After Navigating to the old shop URL , there is an option to create a new customer account.

After creating a new account by giving all the details like username and email address user will get a verification link to the email address.

The link looks something like https://api.redacted.com/emailverify/669321236/3936293/

Once the user clicks on that link he/she will be redirected to the domain we entered in stage 1 like evil.com etc.,

Misconfigurations:

1. No proper server side validation is done while making changes in shop name.
2. After changing the shop name to other name still the old shop URL works.

By combining both 1+2 I was able to exploit open redirect vulnerability till now.

I believe it is possible to escalate beyond open redirect.

Thanks for checking out my post, feel free to comment below if you have any ideas on escalating it beyond open redirect :)

Regards,

Akhil