This is my first writeup about my unique finding open redirect vulnerability in acknowledgement email.
An Open Redirection is when a web application or server uses an unvalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected, such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.
About my finding :
I got a private invite in bugcrowd which has limited scope. let’s consider the target as private.com. It has in-scope subdomain form.private.com I thought to check it out.
The subdomain https://form.private.com has different forms like feedback form, send CV/Resume etc., So, I have chosen a feedback form.
After navigating to the form it asks for different details like our email address, query, etc., after filling all the details I thought to look at the request in burpsuite. So I captured that POST request which has the following data shown below
Did you find anything suspicious in the above request ??
Yes, the submissionUrl parameter .
What will we do basically after seeing a http request in the body ?
we will try to check whether it is vulnerable to SSRF.
Here, I replaced the submissionUrl parameter with my burp collaborator link but I didn’t get any DNS or HTTP interaction. But, I got acknowledgement email to the email address I’ve given.
I opened the email, It shows all the details I’ve given while filling the form.
One thing in that email looks suspicious is, there is a hyperlink in the heading Feedback on Home as shown in the below screenshot:
I clicked on that and it got redirected to my burp collaborator link. Now I went back to the form , filled all the details. This time in submissionUrl parameter instead of burp collab link I’ve given https://google.com and passed the request.
This time I got similar email to my email address. But, this time if I click on the heading it is being redirected to google.com
Link looks as shown below
Here what we enter in the submissionUrl parameter is being reflected as a redirect URL in the acknowledgement email.
Thanks a lot for reading.