Bypass Open Redirection Protection Via Google Sites [BugBounty writeup]
Hi Everyone!
السلام عليكم ورحمة الله وبركاته
i’m Ahmed Salah Abdalhfaz (Elsfa7–110)
Today i will talk about a vulnerability that I discovered on January 6th, 2021
Let us consider the site as target.com
Lets Dive in!
What is an Open-redirection Vulnerability?
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.example of a vulnerable website link could look something like this: http://target.com/login.html?url=https://sefo.com
attacker could manipulate that parameter url= to send a victim to a fake page crafted by attacker: http://target.com/login.html?url=https://evil.com
Let’s go to the bug
For this vulnerability I used a simple bypass and a Logic solution
The vulnerable URL was
https://www.target.com/taxi/?tt=878_12_224173_&r=https://google.com
After several attempts by (open Redirect Payload List)
no any payload could bypass the protection
After some examination, it became clear that the site accepts redirection to some sites only
Including google.com, which means that it works via Whitelist to protect against open redirect attacks
Good
now we need to hack google.com so we can exploit it
Oh, there is an easier and simpler solution
After a while of thinking,
Google provides a Google Sites service
Through which we can redirect the victim to any other site or inject pages and carry out some attacks
Let’s try
1-will create a simple website on sites.google.com
2-make iframe to any harmful site (i used evil.com), and thus the attack succeeded in transferring the visitor to a dangerous site or can attacker make fake signin form or any dangerous thing (google sites allowed to include pages from external links) attacker can host any site on google sites
In this way, we can use google subdomain (sites.google.com)
for ex.
Now simply changing the “r” value to sites.google.com/view/testoepn
https://www.target.com/taxi/?tt=878_12_224173_&r=https://sites.google.com/view/testoepn
Successful bypass the Open redirection protection
Thanks for reading!
Happy Hacking ;)
Please don’t forget to follow me on the Twitter to watch new blogs from me on https://twitter.com/Elsfa7110 and if you have any comment also send to me thanks. Feel free to connect with me if you have anything.
