Open Redirect Vulnerabilities have been around for a long time now, finding one can either be extremely easy, or at the same time can be extremely difficult to find. Read on to find out how I found an Open Redirect Vulnerability on a popular automation application.
Report: Open Redirect Vulnerability
Program: Zapier Bug Bounty Program
About The Vulnerability
Applications redirect user from one part of the website to another by using query parameters like ?next=url or ?to=url, let’s say a website xyz wants to redirect the user to his cart after logging in , we would see that the url would then be something like: www.xyz.com/login?next=%2Fcart, now what if I change the value of /cart to an another website not part of xyz? If not protected against open redirects, xyz will happily redirect to the website mentioned thus causing an Open Redirect. While redirecting xyz might even include the auth token in ?token= giving full account access to the attacker. You must have seen the popular “You are leaving our site” confirmation popups on popular websites.
Finding The Vulnerability
Zapier integrates with a ton of Websites and one day while I was working on my project, I was taken to Zapier to retrieve one of their templates, as I was logging in through my Google account I noticed the url which had a parameter ?next=template-id which would take me to the desired template after logging in.
I changed the template ID to https://google.co.in but that didn’t seem to bypass Zapier’s open redirect protection, so I decided to encode the URL like: https%3A%2F%2Fgoogle.co.in and the next thing I know, as soon as I logged in, I was redirected to the Google homepage. I immediately reported the flaw, and Zapier team reverted back quickly and confirmed that the vulnerability was now fixed and awarded me a bounty of $100!
More about Open Redirects: https://portswigger.net/kb/issues/00500100_open-redirection-reflected
Zapier’s Bug Bounty Hall Of Fame: https://zapier.com/engineering/bug-bounty-hall-of-fame/
Until next time!