Hello, fellow hackers!
Today, I am bringing you something new and interesting. This is not an ordinary bug grace article. Instead, I am going to share some security findings as part of my day’s job as part of a job.
Let’s suppose the target is ABC.com.
I started counting their sub -domains to find the potential dangers. I tried to search for Cves (common risks and exhibitions) in their assets, but most of their sub -domains look very safe. They were using the latest technologies and their safety currency was strong, making it difficult to find any significant threat.
After spending a lot of time to test the vectors without any success, I decided to browse any of their domain by accidentally. When scrolling the page, I noticed that an Instagram logo was embedded in his footer. Out of curiosity, I clicked on the logo, and because of surprise, it showed a broken link like this:
I was already aware of the concept of broken link hijacking (BLH) and social media account takeover, but I never faced it from my previous goals. However, this time, things were about to be interesting.
When inspecting the Instagram link embedded on the target sub -domain, I found a URL structure like this:
https://www.google.com/url? com % 2fabc.com % 2fabc.com % 2fabc.sa = d & sntzntzstz = 1sg = aovawawawawawawawawawawawawawawawdXPAuhkotxq
It was clear that the link was pointing to an Instagram profile affiliated with the target company, especially Instagram/ABC.com. However, since the link was broken (probably because the Instagram account was deleted, nominated, or never made), I realized that this was a possible opportunity to take the account.
Without wasting any time, I quickly developed a new Instagram account with the same username: ABC.com and then reviewed the target sub -domain. I once again clicked on the Instagram logo, and Boom 💥 I was immediately sent to the Instagram account that I just formed.
When I continued to detect the target infrastructure, I decided to dig deep into their hidden sub -domains to find out if I could find something interesting. After some extensive counting and testing, I stumbled at two open redirectors on two different sub -domains.
Open received the first open redirection to their login page.
Open was located on his sign -up page.
1, URL Format for Open Redirect to the Login page:
https://xyz.abc.com/login?return_to=
I finally added https://evil.com and the new URL was like:
https://xyz.abc.com/login?return_to= https % 3a % 2f % 2fevil.com
Nothing was happening when I added Evol.com and refreshed the page. I created an account and logged in with credentials, and boom! 🤯 I was taken to Evil.com.
2, URL Format for Open Redirect to the Registration Page:
I finally added https://evil.com to finally, and tampered URL was like:
https://xyz.abc.com/register?next=https://evil.com
Like before, after creating an account, I was redirected.
So just I hope someone has learned something from this article !!!!
