Can you find the open redirect?

Intigriti community challenge

We are given a vulnerable piece of code. The script validates the window location hash and redirects to it if valid.

var url = window.location.hash.substr(1);
‚Äč
if (isValid(url)) {
window.location = url;
}

To get a valid result the location hash needs to pass though a regular expression.

/^http(s)?:\/\/[0-9a-z.-]+\.security.com$/

By breaking down the expression we see the following rules

  • It should start with http:// or https://

  • The protocol should be followed by a subdomain name containing lowercase letters, numbers, periods and hyphens.

  • It should end with .security.com

At first glance it seems secure. However, tiny details could lead to a potential vulnerability. Lets revise the last part again.

\.security.com$/

The first period seems to be properly escaped with a backslash, but the second one isn't. In regular expressions, a period character that is not escaped means that it could be any character. That would mean that we could put a forward slash and turn the TLD into an URL path.

.security/com

Moreover, the .security is also a valid TLD, which means that anyone could purchase such a domain name.

example.security
domain.security
test.security

Knowing this, let's imagine the following scenario. An attacker that owns evil.security tries to exploit this vulnerable script by forwarding the user to his malicious environment. The only thing he needs to do is to put his address into the vulnerable website's location hash.

#https://www.evil.security/com

There we have it. An open redirect bug which could lead to a bad scenario.

Thanks a lot for the read!