0

I found a possible vulnerability vector in a website with a bug bounty program, and I don't want to pass it up, but I can't figure out a way to exploit it.

The possible vector is that, when you go to an unused subdomain (owned by them but now inactive), it redirects to another one of their websites, but after running the unused subdomain in a GET request, I noticed it uses javascript to grab part of the url in the unused domain, and attaches it to the end of the newer domain that it redirects to.

Essentially, it echoes part of the original URL into a new URL using the following JS:

<script language="javascript">
        var pathname = window.location.pathname;
        if (pathname.charAt(0) == "/") pathname = pathname.substr(1);
        window.location.href = "http://example.com/example" + pathname;
    </script>

(I changed the website to example.com for security's sake)

Anyway, does anybody have any ideas for exploiting this? It seems like there must be a way, considering it doesn't filter pathname.

Jack
  • 471
  • 2
  • 6
  • 18
  • 1
    anything js can do should be harmless anyway. isn't it easier to craft a direct link than rely on a redirect? i don't see how a link to bad.example.com is any different than one to example.com/bad... – dandavis Feb 05 '17 at 02:27
  • @dandavis true, I was just thinking if there was some set of characters, etc. that could be encoded in the outdated subdomain and when redirected, it would be invalid in whatever browser you were in, and cause it to not redirect, or something of that sort. – Jack Feb 05 '17 at 02:30
  • 1
    i hear you, but because the code _appends_ to the url, the left-side is locked-in and the normal back-end stuff should be taking care of anything that comes at it. in short, should 404 anything bad... – dandavis Feb 05 '17 at 02:45
  • It doesn't look like an issue on it's own. It might be useful for CSRF or downgrading HTTPS, but that's unlikely. – grc Feb 05 '17 at 03:06

0 Answers0