| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | DOM-Based Open Redirect |
| Difficulty | Practitioner |
| Objective | Exploit the open redirect to send the victim to the exploit server |
DOM-Based Open Redirection — Writeup¶
Reconnaissance¶
Initial Observation¶
Nothing interesting on the main page. Entering a blog post and inspecting the source reveals this in the "Back to Blog" link:
<div class="is-linkback">
<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); location.href = returnUrl ? returnUrl[1] : "/"'>Back to Blog</a>
</div>
The onclick runs a regex against the current location (the full page URL) looking for a url= parameter followed by an http or https URL. If it finds one, it redirects there. If not, it just goes to /.
Web — Testing the Redirect¶
Testing in the console with no url= parameter in the URL:
/url=(https?:\/\/.+)/.exec(location)
// null
Nothing. Adding url=https://teto.com# to the URL:
/url=(https?:\/\/.+)/.exec(location)
// Array [ "url=https://teto.com#", "https://teto.com#" ]
The regex matches and returns the URL as the capture group. Hovering over "Back to Blog" shows the full crafted URL, and clicking it redirects to teto.com. The # at the end cuts off the rest of the query string so the regex doesn't capture extra characters.
Attack Path¶
Exploit — Injecting the Exploit Server URL¶
Swapping teto.com for the exploit server:
https://0af600a304f5164f80de0d840094002a.web-security-academy.net/post?postId=1&url=https://exploit-0a7d00d70402164680d60c6101f300d0.exploit-server.net/#
Sending this URL to the victim — when they click "Back to Blog", they get redirected to the exploit server. and Lab solved