Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Arbitrary redirects are an interesting vulnerability class. The reason for this is that the impact is typically minimal (some bug bounties do not even accept this bug class) but can be immensely impactful in other situations.

In an interesting case, the url_for function in Ruby On Rails was accepting arbitrary parameters to it. Although this does not sound like a big deal, controlling the settings of a function can cause many issues!

To start with, a low-severity reflected XSS was found by setting the script_name field of the url_for function. This XSS required 2 clicks and the CSP blocked it. So the author decided to look for more.

By adding the script_name with just a domain, an arbitrary redirect was achieved. Although this seemed nice, what can be done with this?

When are arbitrary redirects really bad? OAuth! This exact vulnerability affected the Github Gist OAuth implementation. With the redirect, if a user clicked on a malicious link, it would be possible for them to login then be redirected to the malicious actors site. Now, with the redirect, the auth code would just be sitting on the bad actors site, waiting to be used.

Overall, this was a super interesting bug that was ONLY found because of source code review. I love the finding and would like to see more application bugs like this in the future.

Vakzz has MANY great writeups on his site; I highly recommend visiting this site for high quality writeups.