Unvalidated Redirects/ Open Redirect Vulnerability on Hackster Registrat… – SQLi Basic

Hi Hackster,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Unvalidated_Redirects/ Open Redirect Vulnerability on Hackster Registration Url and Login Url”.

Description of Vuln:
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the
web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input
to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server
name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s
access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Reference:

Unvalidated_Redirects/ Open Redirect Vulnerability:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
http://www-01.ibm.com/support/docview.wss?uid=swg21986393

Vuln Link:  https://www.hackster.io/users/sign_in?redirect_to=/feed&source=welcome-home
   https://www.hackster.io/users/sign_up?redirect_to=/feed&source=welcome-home

POC url:  https://www.hackster.io/users/sign_in?redirect_to=hTTpS:///google.com
   https://www.hackster.io/users/sign_up?redirect_to=hTTpS:///google.com

Let’s follow me,
1. Open Vuln Link in browser.
2. Change redirect_to= to any site. Now I try to hTTps:///google.com
3. Just press go button or hit into ENTER
4. And as you see I can redirect to any site.

Let’s Check again with facebook.com
As you see, here redirect to anysite using this method. and it’s also goes to parmanently redriact.

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible. Please see this video carefully for understanding.

Here is proof as video concept (unlisted): https://youtu.be/z8R4HDHvkoI

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

It’s an Online It Section
Please Subscribe us.




Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website