About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

XSS via Arbitrary URL Redirection- 262

quentin - gremwellPosted 5 Years Ago
  • Arbitrary URL redirections are a common vulnerability where the impact is often disputed. Some bug bounty reports do not consider this a vulnerability at all.
  • So, with the arbitrary URL redirection, what else can be done? In order to increase the impact, the author of this article asked that question!
  • On the 302 redirect, all URL encoded data was decoded and put into the body. In fact, this even includes newlines! Because of this, it was possible to alter the body of the 302 redirect. This is called a CRLF (carriage return, line feed) injection.
  • From this, the author pulls up articles that found ways to get XSS via a 302 redirect. However, most modern browsers will not execute JavaScript in this context.
  • After brute forcing several URIs, it was discovered that (on Firefox) using the websocket URIs (ws or wss) for the redirect link allowed for the JavaScript to be executed!
  • To make matters even better, another user posted that a similar bypass exists (on Chrome) by not having a redirect link (just adding the newlines and the XSS payload) all together.
  • So, have an arbitrary redirect? Try to make the impact even better by turning it into an XSS!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed