.png)
6 months ago
31 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello guys, what’s up?
At the request of my friend Saigo, I am writing this writeup, of an Open-Redirect that I reported on a long time ago, although it was not considered to have any real-life impact.
If you don’t have an Open-Redirect background and want more educational material, I recommend this one, demonstrated in the OWASP Juice-Shop.
As I explained in my previous article about Open-Redirect, let’s dive straight into the practice. I had a target, which we’ll refer to as redacted.com. I noticed that an absolute URL was being passed to the next parameter in the login URL:
https://redacted.com/login.php?next=https://redacted.com/account.phpInitially, I tried changing the next parameter to http://evil.com, but this didn't work. So, I decided to test for HTTP Parameter Pollution. Since the site was built in PHP, the last occurrence of a parameter usually takes precedence. The final URL I crafted was:
https://redacted.com/login.php?next=https://redacted.com/account.php?next=http://evil.comAfter logging in, I was successfully redirected to http://evil.com
Thanks!
Bengali (Bangladesh) · 
English (United States) ·