-1

So i have been studying a lot of bug report regarding redirecting URL to a malicious website,most are understandable like when you log in or log out or you are just being redirected to another domain of the same web site ,you change parameter in url and your are redirected to some other domain.However i cant seem to understand a POC video in which the hacker uses "../.." to redirect which i don't understand .Here is the link

https://www.youtube.com/watch?v=ibtWniVydLY&t=66s

this one is also pretty confusing https://www.youtube.com/watch?v=T-x0OGS223M how did he knew how to add ?next parameter .And why next why not next_url?

Can someone please explain.Or at least guide me to a document on which it is explained. Thanks

shujaat
  • 27
  • 3
  • The syntax of an URI is `scheme:[//[user[:password]@]host[:port]][/path][?query][#fragment]`. I'm not sure but it might be possible that with the URL `https://hackerone.com../..@google.com`, you actually request `google.com` as the user `hackerone.com../..`. – SaAtomic Sep 14 '17 at 09:10

1 Answers1

0

I wasn't able to reproduce the redirect to Google.com using the suggested URL:

https://hackerone.com../..@google.com

It's not clear to me whether you have been able to reproduce this redirect to Google.com yourself. That video was from 2 years ago and the issue may have been patched.

In the second example, the next vs next_url is simply related to the framework/code used to develop the website. That parameter name is entirely dependent on the implementation.

When implemented securely, the redirect parameter is handled to only allow redirects to paths that exist on the current domain.

For example, the redirect URL is typically a relative path address with respect to the domain:

?next=/user/home

as opposed to something like

?next=https://evilsite1234917641231.com/pwned

SecretSasquatch
  • 619
  • 3
  • 9
  • yup, first one is pretty old so it is probably fixed. i wanted to know the logic behind using "../.." or "@". also these "next" and "next_url" are parameter right?. lets assume we have website www.good.com . How can i magically append parameter in the url. if the url is something like ww.good.com/q?=something then i can try to insert "next" or "next_url" . but appending like www.good.com/next=something ,isnt www.good.com a static page .Nothing is being input in the page . – shujaat Jul 03 '17 at 03:41