A quick PoC/tutorial on bypassing open redirect filters in Infosec Institutes Level 13 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to 1N3 @CrowdShield and full disclosure details can be found here: https://xerosecurity.com/dashboard.php?bug_id=691
The request below indicates that the affected page is redirecting all requests sent to the redirect= parameter which may be vulnerable to open redirect attacks.
The addition of the Location: header indicates that the value specified in the redirect= GET parameter is being injected into the Location: header field.
Using Burpsuite Intruder or any other web proxy, we can use the following list to check for open redirect vulnerabilities and possible bypasses. This can be downloaded using Gist here: https://gist.github.com/1N3/de48ab54edd831cb12fb
Replace the existing input field to increase the maxsize field and remove the characters allowed property as follows:
<input type="text" placeholder="Name of site" maxsize="100" class="form-control" required="" name="name">
var siteName = $(".ex1 input[type='text']").val().trim().replace(/</g, "<").replace(/>/g, ">"); var siteURL = $(".ex1 input[type='url']").val().trim().replace(/</g, "<").replace(/>/g, ">");
After the client side validation and sanitizing is removed, enter the following payload into the “Site Name” field and click “Submit”.