.png)
9 months ago
75 BOOK THIS SPACE FOR AD
ARTICLE ADThis story is about open redirect and homograph attacks.
bug bounty was hard for me so i was looking about automate my bug bounty using tools that i create. one way was to take below locations, add the payload and check if url was redirected.
/{payload}
?next=
?url=
?target=
?rurl=
?dest=
?destination=
?redir=
redirect_uri=
?redirect_url=
?redirect=
/redirect/
The payload wordlist i used:
WELL!!! VULNERABILITY FOUND!!!
I cant show the real website so i will call it “website.com”
payload:
https://www.website.com///%5cⓁ𝐨𝗰𝐀𝕝ⅆ𝓸ⓜₐℹⓃ。Pⓦ
the website got redirect to “localdomain.pw”
BUT WHY???
After some fuzzing i could see that the website is redirecting to anything after the “///”. but when i enter a character such as dot i get 403 error back.
well it looks like we just have a blacklist of charecters and we bypassed it using homograph charecters.
But that doesnt explain yet why that work.
The reson that it worked is because in some backeds, the backed see a charecter such as Å and say i dont know this charecter but it looks like A so i gonna replace it with A insade. so we can write any charecters in homograph to bypass the waf or blacklists.
but wait! this is not the end. what if the website use waf to protect against other attacks such as xss or sqli. we may be able to bypass them too.
owasp write article about bypassing sqli using “Unicode Smuggling”
https://owasp.org/www-pdf-archive/OWASP_IL_2007_SQL_Smuggling.pdf
you may go to page 20 and see howthey did sql injection using homograph translation.
Bengali (Bangladesh) · 
English (United States) ·