Unvalidated Redirects/ Open Redirect Vulnerability on Hackster Registrat… – SQLi Basic

Hi Hackster,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Unvalidated_Redirects/ Open Redirect Vulnerability on Hackster Registration Url and Login Url”.

Description of Vuln:
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the
web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input
to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server
name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s
access control check and then forward the attacker to privileged functions that they would normally not be able to access.


Unvalidated_Redirects/ Open Redirect Vulnerability:

Vuln Link:  https://www.hackster.io/users/sign_in?redirect_to=/feed&source=welcome-home

POC url:  https://www.hackster.io/users/sign_in?redirect_to=hTTpS:///google.com

Let’s follow me,
1. Open Vuln Link in browser.
2. Change redirect_to= to any site. Now I try to hTTps:///google.com
3. Just press go button or hit into ENTER
4. And as you see I can redirect to any site.

Let’s Check again with facebook.com
As you see, here redirect to anysite using this method. and it’s also goes to parmanently redriact.

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible. Please see this video carefully for understanding.

Here is proof as video concept (unlisted): https://youtu.be/z8R4HDHvkoI

Thank you
Shaifullah Shaon (Black_EyE)

It’s an Online It Section
Please Subscribe us.

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *