Story Behind Open-Redirection worth $$$

Hii everyone,

I am Mohd Hasan Ansari (Jerry1319) from Nepal. An Independent Security Researcher .

If you found any spell error. Let it be….. Lets start

After a long break and burnout , I started to give a change to a private program on bugv but unfortunately only the main domain is in-scope, Let’s assume the domain as domain.com/*.

I quickly started doing some basic recons on the target via google dorking and github dorking but for my bad i didn’t get anything juicy related to the target which is able to be reported as a security issue .

But after completing these all when i didn’t get anything i run waybackurls on the main domain to get the indexes endpoints .

echo “domain.com” | waybackurls | tee -a wayback.txt

After running the waybackurls i opened the domain on the browser to check the build in technologies and functions available on the target to test.

For my Surprise I also don’t get anything interesting in the technology buildin but while playing with the functions i got to know that the domain is using the shopify sdk, then after that i quickly checked the wayback data and starts looking for parameters as in previously once i found SSRF via the 3rd party sdk .

While playing with the wayback data, i got to an endpoint as https://domain.com/shop?auth=undefined , i quickly changed the undefined as evil.com and surprisingly the site got redirected to evil.com .

I Tried to find SSRF via the endpoint /shop?auth= but unfortunately due to some internal protection the site is blocking me to do it . After trying for 2 3 hours i left it as it is and reported it as a open redirection issue .

After couple of days the program team triage the report and after a month they rewarded me with $$$ Bounty .

After that whenever i see shopify or its sdk using on the domain i will always check for the shop?auth= endpoint .

That’s all for today write-up.

Thanks for Reading

Signing Out Jerry1319