NCIIPC VDP Bug : Open Redirection Vulnerability In Govt. Site !!

6 months ago 36
BOOK THIS SPACE FOR AD
ARTICLE AD

Professor0xx01

301 Moved Permanently

Hello Hunters….!!!! Hope you all are having a good day & working good also…!!!

Intro: I am p_ra_dee_p whom you all know as Professor0xx01, a security researcher passionate about making the web safer. Today I am going to explain you my experience discovering an open redirect vulnerability on the Indian Government reserved Website . So, let’s dive into it.

What is Open Redirection ??

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

redirect

However, an attacker could modify the redirect url parameter to point to a malicious website. Unsuspecting users clicking the logout button could be redirected to a cleverly disguised phishing site, potentially compromising their login credentials or other sensitive information.

Some of the possible parameters which you must have to check for this low hanging juicy vulnerability :

/{payload}
?next=
?url=
?target=
?rurl=
?dest=
?destination=
?redir=
redirect_uri=
?redirect_url=
?redirect=
/redirect/
cgi-bin/redirect.cgi?{}
/out/
/out?
?view=
/login?to=
?image_url=
?go=
?return=
?returnTo=
?return_to=
?checkout_url=
“go”
“return”
“r_url”
“returnUrl”
“returnUri”
“locationUrl”
“goTo”
“return_url”
“return_uri”
“ref=”
“referrer=”
“backUrl”
“returnTo”
“successUrl”

How I detected it………

During searching different government reserved websites which i have already collected from subdomain enumeration phase, i got a web url (target.gov.in) which was redirecting me into an another url instantly (taget_2.gov.in). I didn’t hope that there may be any vulnerability exits (coz it’s redirecting every time to a different site). But when i am reviewing the Burp history , the fun playing begins…….

I send the request to repeater to see the response. And you can see below, by default it was redirecting me to another URL Location.

Default redirect

Then whenever i am adding any thing, any kind of string string, (let’s say -> attacker.professor0xx01) it was attached with the redirect URL like the following:

Location: https://target.gov.in.attacker.professor0xx01

Then after testing a few minutes, i got this valid one payload………………

//@evil.com

…………………………………& as expected, it was reflated into the http response with appending the default redirect URL (302 Found) !!!

Location: https://target.gov.in@evil.com
Payload: //@evil.com

And whenever i entered the “Follow Redirection” button,,,,,,B0000MMM!!!

…………………..<< I have redirected to the “Evil.com” domain.

Evil.com (redirected successfully)

So, finally the affected url looks like:

https://<target>.com//@evil.com

Then I made a report about this security issue and send it to the NCIIPC Team !!

That’s it for this article now…!!!!

Hope you enjoyed it !! If you love it, then don’t forget to like & follow me for more insightful articles !!!!

THANKS FOR READING !!

Happy Hunting ~~

Keep Learning & keep securing ~~

Read Entire Article