Assalam O Alaikum
السَّلَامُ عَلَيْكُمْ
This is the story about finding same open redirection vulnerability in several subdomains of an organization ( sorry for not disclosing their name ) .
After trying multiple attempts to redirect the website into malicious website i.e evil.com .
- Host Header Injection
- Parameter tempering
But I failed. So I thought to tamper the url path. After some trying I found that if I add /.evil.com after the url path, I am getting 301 (Moved permanently).
This gave me hope. Then I just opened my terminal & tried pasting a curl request like this,
curl https://subdomain.vuln.com/.evil.com -IL
Let me explain this for you.
- curl ----> for sending a http request ( in general, it sends GET request. That's why there is no need to mention the request method ) .
- https://subdomain.vuln.com/.evil.com ----> this is my vulnerable subdomain with payload ( /.evil.com ) .
- -IL ----> this two tags ( -I & -L ) is for showing header only & following redirection.
So, that gave me an SSL error. 🤦
Because, evil.com has got no SSL certificate. But, that's not a big problem at all. Because I have got the location header in my 1st HTTP response. Which is,
Location: https://subdomain.vuln.com.evil.com
Which is a subdomain of evil.com. So, it's an open redirection vulnerability. And that's how I found it in 6 subdomains of that organization.😃
./keep_hacking_the_world 🥳🎊🎉🐞