Open Redirect via login page

Overview of the Vulnerability:

Open redirects occur when an application fails to validate user input in the target of a redirection, allowing attackers to redirect users to malicious sites. This vulnerability undermines users’ trust in legitimate web pages. Attackers can exploit it by sending phishing emails with URLs containing a legitimate business name, which then redirect to external domains. Users are less likely to detect the redirection if the URL appears authentic and uses a valid SSL certificate.

Open redirects can lead to more severe vulnerabilities, such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), and successful phishing attempts. Attackers can harvest credentials or gain OAuth access by relaying users through an open redirection to a server they control.

For several weeks, I studied aspects of the entire application and the functions it contains, including logging in, creating an account, and others.

Steps:

1. Using a browser, navigate to: https://app.[Redacted].com/login
2. Click Connect with Google then view http history from burpsuite or Zap proxy.
3. After studying and reviewing all the requests, I came across this exciting request:

GET /api/auth/google/redirect?registrationOrigin=app&failureUrl=[https://[*].[Redacted].com/*]&successUrl=https://[*].[Redacted].com/*] HTTP/2
Host: app.[Redacted].com
Upgrade-Insecure-Requests: 1
User-Agent: [Redacted]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: [Redacted]
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: [Redacted]
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

These two parameter caught my attention: failureUrl, successUrl

4. I changed the value of each of them to “https://www.attacker.com”,
Now you can rephrase the link to this:

https://app.[Redacted].com/api/auth/google/redirect?registrationOrigin=app&failureUrl=https://www.attacker.com/login&successUrl=https://www.attacker.com/

5. I entered the link and was successfully transferred to the target

6. We can encoded to scam users:

https://app.[Redacted].com/api/auth/google/redirect?registrationOrigin=app&failureUrl=%68%74%74%70%73%3a%2f%2f%77%77%77%2e%61%74%74%61%63%6b%65%72%2e%63%6f%6d%2f%6c%6f%67%69%6e%26%73%75%63%63%65%73%73%55%72%6c%3d%68%74%74%70%73%3a%2f%2f%77%77%77%2e%61%74%74%61%63%6b%65%72%2e%63%6f%6d%2f

Impact:

1. The attacker can force the user to install Trojans, Malware, etc. into his system.
2. User can be redirect to malicious site (Phishing Attacks)
3. Stealing sensitive information