Can you find the open redirect?

Intigriti community challenge

We are given a vulnerable piece of code. The script validates the window location hash and redirects to it if valid.

var url = window.location.hash.substr(1);
if (isValid(url)) {
window.location = url;

To get a valid result the location hash needs to pass though a regular expression.


By breaking down the expression we see the following rules

  • It should start with http:// or https://

  • The protocol should be followed by a subdomain name containing lowercase letters, numbers, periods and hyphens.

  • It should end with

At first glance it seems secure. However, tiny details could lead to a potential vulnerability. Lets revise the last part again.


The first period seems to be properly escaped with a backslash, but the second one isn't. In regular expressions, a period character that is not escaped means that it could be any character. That would mean that we could put a forward slash and turn the TLD into an URL path.


Moreover, the .security is also a valid TLD, which means that anyone could purchase such a domain name.

Knowing this, let's imagine the following scenario. An attacker that owns tries to exploit this vulnerable script by forwarding the user to his malicious environment. The only thing he needs to do is to put his address into the vulnerable website's location hash.


There we have it. An open redirect bug which could lead to a bad scenario.

Thanks a lot for the read!