Open-redirect [in email]

Hi everyone this is my first writeup about my unique finding open redirect in acknowledgement email. Let’s go


An Open Redirection is when a web application or server uses an unvalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected, such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.

About my finding :

Recently, I got a private invite in bugcrowd which has limited scope. let’s consider the target as It has in-scope subdomain I thought to check it out.

The subdomain has different forms like feedback form, send CV/Resume etc., So, I have chosen a feedback form.

After navigating to the form it asks for different details like our email address, query, etc., after filling all the details I thought to look at the request in burpsuite. So I captured that POST request which has the following data shown below


Image for post
Image for post

Did you find anything suspicious in the above request ??

Yes, the submissionUrl parameter .

What will we do basically after seeing a http request in the body ?

we will try to check whether it is vulnerable to SSRF.

Here, I replaced the submissionUrl parameter with my burp collaborator link but I didn’t get any DNS or HTTP interaction. But, I got acknowledgement email to the email address I’ve given.

I opened the email, It is showing all the details I’ve given while filling the form.

One thing in that email looks suspicious is there is a hyperlink in the heading Feedback on Home as shown in the below screenshot:

Image for post
Image for post

I clicked on that and it got redirected to my burp collaborator link. Now I went back to the form , filled all the details. This time in submissionUrl parameter instead of burp collab link I’ve given and passed the request.

This time I got similar email to my email address. But, this time if I click on the heading it is being redirected to

Link looks as shown below


Here what we enter in the submissionUrl parameter is being reflected as a redirect URL in the acknowledgement email.

Thanks a lot for reading.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store