Open-redirect in Acknowledgement email
Hi Everyone
This is my first writeup about my unique finding open redirect vulnerability in acknowledgement email.
Open-redirect Vulnerability:
An Open Redirection is when a web application or server uses an unvalidated user-submitted link to redirect the user to a given website or page. Even though it seems like a harmless action to let a user decide to which page he wants to be redirected, such technique if exploited can have a serious impact on the application security, especially when combined with other vulnerabilities and tricks.
About my finding :
I got a private invite in bugcrowd which has limited scope. let’s consider the target as private.com. It has in-scope subdomain form.private.com I thought to check it out.
The subdomain https://form.private.com has different forms like feedback form, send CV/Resume etc., So, I have chosen a feedback form.
After navigating to the form it asks for different details like our email address, query, etc., after filling all the details I thought to look at the request in burpsuite. So I captured that POST request which has the following data shown below
{“submissionUrl”:”https://form.private.com/?k=jsdkjsdkhskdgjgs&d=228735228",”fieldValues”:{“1861396”:”test”:”email@gmail.com”}}
Did you find anything suspicious in the above request ??
Yes, the submissionUrl parameter .
What will we do basically after seeing a http request in the body ?
we will try to check whether it is vulnerable to SSRF.
Here, I replaced the submissionUrl parameter with my burp collaborator link but I didn’t get any DNS or HTTP interaction. But, I got acknowledgement email to the email address I’ve given.
I opened the email, It shows all the details I’ve given while filling the form.
One thing in that email looks suspicious is, there is a hyperlink in the heading Feedback on Home as shown in the below screenshot:
I clicked on that and it got redirected to my burp collaborator link. Now I went back to the form , filled all the details. This time in submissionUrl parameter instead of burp collab link I’ve given https://google.com and passed the request.
This time I got similar email to my email address. But, this time if I click on the heading it is being redirected to google.com
Link looks as shown below
https://app.private.com/app/xxx/-/log?se=xxxxx&dest=https://google.com&hash=xxxxxxxxxxxxxxxxx
Misconfiguration:
Here what we enter in the submissionUrl parameter is being reflected as a redirect URL in the acknowledgement email.
Thanks a lot for reading.
Bounty 200$
Regards,
Akhil
