How i found my first open redirect

Yago Martins.

Hello everyone, this is my first bugbounty report, so I apologize if I make any mistakes.

The first step is to explain what an open redirect vuln is.

It’s a web vulnerability that allows an attacker to use an official website to redirect a user to another site, without their consent.

Due to policy, we’re going to call https://target.com

First I started with a basic standard recognition, and I tested some endpoints, in the manual tests I noticed an interesting feature, whenever I entered to buy a product without being logged in, the application took me to the link target.com/Account/Login.aspx?ReturnUrl=/Market/Products.aspx&sw_sc=internet

In other words, the application sends me to the login page, keeping the route I was on previously.

After logging in, as expected, I was redirected to /Market/Products.aspx.

To test that I could redirect to other endpoints, I added the same login endpoint to the ReturnUrl parameter:
target.com/Account/Login.aspx?ReturnUrl=/Account/Login.aspx&sw_sc=internet

And as expected, after logging in, I was redirected again to log in LOL.

After confirming that this parameter could be manipulated, I started doing some tests to see if a 401 code bypass was possible.
If I put anything with / before it, I was redirected to a non-existent 404 endpoint, but if I took the / out, there was some treatment that the page simply reloaded and nothing happened.

So I started trying some known openredirect bypasses and when I put target.com/Account/Login.aspx?ReturnUrl=//google.com&sw_sc=internet, the site kept loading for a few seconds until I was redirected to the main again.

Analyzing the requests, I noticed that when I was directed to some endpoint of the site itself, which was not foreseen, the same sw_sc parameter was added.

So I added this parameter sw_sc=internet, but before the parameter i added a question mark (?) to my malicious request for the parameter to be seen as a parameter of my payload and booommmm.

So my final payload was: //google.com?sw_sc=Internet

I was automatically redirected from target.com to google.com

Remember, I could redirect the user to any site I wanted, using the reputation of the official site to gain credibility.

That’s it guys, unfortunately the report was screened for not applicable because it was outside the scope provided, but I’m still on the hunt.

Thanks for reading.