How I Bypassed an API Security Check

It began with a visit to the target’s main website, [target.com]. I’m a firm believer that footers often hide gems, so I zeroed in on a “Gift Card” link. Using Burp Suite, I intercepted the request to the gift card page ([target.com]/order/gift-card?...). A few forwards later, I noticed an intriguing JavaScript file loaded from a subdomain: [subdomain.target.com]/tags/JS/v2/[hash]/config?env=0.

Curious, I sent this URL to Burp’s Repeater and hit “Send.” The response was a goldmine—a JSON configuration object for Branch Metrics, a popular deep-linking platform. Nestled in the settings field was an API key: [REDACTED_API_KEY]. Hard-coded, publicly accessible, and begging to be tested.

Branch Metrics keys are used to generate deep links and track user actions, so I wondered: Could this key be abused? To find out, I crafted a simple cURL request to Branch’s API endpoint (https://api2.branch.io/v1/url), aiming to create a deep link:

The response? A shiny new URL: [generated.target.com]/[random_id]. Clicking it redirected me to google.com. The key was live and functional—game on!

Excited, I tried another test, swapping google.com for netflix.com:

This time, I got an error:

Clearly, Branch had some validation in place, restricting which domains the key could link to. My initial excitement faded—was this a dead end?

Not ready to give up, I brainstormed ways to bypass the restriction. Then it hit me: what if I could disguise the destination? I searched “Netflix” on Google, grabbed the shortened link from the results (e.g., https://www.google.com/url?...&url=https://netflix.com/...), and plugged it into the cURL command:

Boom! It worked: [generated.target.com]/[new_id]. Clicking it took me to netflix.com. The API accepted Google’s redirect URL, which then unwrapped to the intended destination. This trick effectively bypassed the security checks, letting me redirect to any site I could wrap in a Google link.