Second bug on VDP program

بسم الله الرحمن الرحيم

hey there in this write up I’ll complete talking about the other 2 bugs i found on VDP program and both are Open Redirect
i ‘ll mention the program as target.com let’s get start

after i found first bug i submit the report and then i was doing some notes recap to find if any thing i forget about and i was write i found little note called “test Open redirect on mospsaml/actions/sendAuthnRequest?relayState=” i write this note because i was busy on testing XSW on SAML authentication.
1. so i set my burp up, open the URL “https://store.target.com/mospsaml/actions/sendAuthnRequest?idp_name=D2C&relayState=https://google.com/“
and send the request to burp repeater, follow the redirections, with eyes on Location response header. but this not work because there are validation in the way

2. the site was validate only if “store.target.com” in URL so simple by pass that by use “relayState=https://googl.com/LoginSeagate.html?store.target.com/customer/account/” and i get google 4o4 page

3. to escalate the bug severity i host the target login’s page, set it’s form submit to my “webhook.site” instance, and make a client side redirection to “store.target.com”.

so any user one opens the link “https://store.target.com/mospsaml/actions/sendAuthnRequest?relayState=https://my.hosted.com/Login.html?store.target.com/account/” even if he’s already logged in got redirect by traget.com to my hosted login page, users will appley there credentials witch get leaked to my “webhook.site” instance and user get redirected to “store.target.com”
because they trust target.com and it’s redirection uses will happy to submit there credentials :)

on reset password u need to first appley your email and then choose reset by mail, by analyze that i received found the URL have a parameter called “Loginurl”, “username”, “confirmation_token”.
i try to find a way how to change “Loginurl” value to my hosted login page that leak the credential to “webhook.site”

first thing come to my mind is what if i use non valid “confirmation_token”, i found that target.com open page with button called “send” with send rest password mailbut what about if i use non valid and set login url to my hosted page “confirmation_token=blabla&Loginurl=https://my.hosted.com/Login.html”, then click on “send”. the mail Surprised me because the URL have “Loginurl=https://my.hosted.com/Login.html”.by clicking that link reset password with fields for set the new password and confirm it.after set the new password and click “sign in” my hosted page get opened.

by exploiting that bug, target.com will send there users to authenticate on my hosted page first 🤦‍♂️ to leak there new password and then i redirect them to target.com

Thanks For reading and hop u all find your first bug too ❤ :)

🔗Linkedin