DOM based open redirection

Description

This lab contains a DOM-based open-redirection vulnerability. To solve this lab, exploit this vulnerability and redirect the victim to the exploit server.

Approach

After visiting the lab and navigating through it with the FoxyProxy extension enabled to proxy all requests through BurpSuite, I noticed an interesting link in the blog post request response:

<div class="is-linkback">
	<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); location.href = returnUrl ? returnUrl[1] : "/"'>Back to Blog</a>
</div>

The main issue lies in the fact that the code does not verify the safety or origin of the URL found by the regex. This means I can craft a malicious URL that includes a url parameter pointing to a site I control.

To exploit this vulnerability, I will craft a URL that includes a url parameter pointing to my exploit server. This will redirect the user to my malicious site when they click the "Back to Blog" link. Here is the request I will send:

GET /post?postId=1&url=https://exploit-0a1c002e044239fd81e3fbe80199000e.exploit-server.net/exploit HTTP/2
Host: 0af000d2047939b88129fcd6007d00fd.web-security-academy.net
Cookie: session=HYxcrtHjbPzOrqAhXltIlPfhwOAP95cG
...

by sending that request i can see that the lab is solved.

PreviousDOM XSS using web messages and JSON.parse NextDOM based cookie manipulation