Open-redirect in Acknowledgement email

Hi Everyone

This is my first writeup about my unique finding open redirect vulnerability in acknowledgement email.

Open-redirect Vulnerability:

An Open Redirection is when a web application or server uses an unvalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected, such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.

About my finding :

I got a private invite in bugcrowd which has limited scope. let’s consider the target as private.com. It has in-scope subdomain form.private.com I thought to check it out.

The subdomain https://form.private.com has different forms like feedback form, send CV/Resume etc., So, I have chosen a feedback form.

After navigating to the form it asks for different details like our email address, query, etc., after filling all the details I thought to look at the request in burpsuite. So I captured that POST request which has the following data shown below

{“submissionUrl”:”https://form.private.com/?k=jsdkjsdkhskdgjgs&d=228735228",”fieldValues”:{“1861396”:”test”:”email@gmail.com”}}

Did you find anything suspicious in the above request ??

Yes, the submissionUrl parameter .

What will we do basically after seeing a http request in the body ?

we will try to check whether it is vulnerable to SSRF.

Here, I replaced the submissionUrl parameter with my burp collaborator link but I didn’t get any DNS or HTTP interaction. But, I got acknowledgement email to the email address I’ve given.

I opened the email, It shows all the details I’ve given while filling the form.

One thing in that email looks suspicious is, there is a hyperlink in the heading Feedback on Home as shown in the below screenshot:

I clicked on that and it got redirected to my burp collaborator link. Now I went back to the form , filled all the details. This time in submissionUrl parameter instead of burp collab link I’ve given https://google.com and passed the request.

This time I got similar email to my email address. But, this time if I click on the heading it is being redirected to google.com

Link looks as shown below

https://app.private.com/app/xxx/-/log?se=xxxxx&dest=https://google.com&hash=xxxxxxxxxxxxxxxxx

Misconfiguration:

Here what we enter in the submissionUrl parameter is being reflected as a redirect URL in the acknowledgement email.

Thanks a lot for reading.

Bounty 200$

Regards,

Akhil

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store