Open Redirect on "returnUrl=" parameter in btcpayserver/btcpayserver
Jan 30th 2023
Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter
Proof of Concept
Here is the Video POC of this vulnerability https://drive.google.com/file/d/1UNnRv-E0bwcWWSFSOSDLoTGEdkH4cIKd/view?usp=sharing
Step to Reproduce:
Login your account on https://mainnet.demo.btcpayserver.org/login
Click the link below
Check the "I have written down my recovery phrase and stored it in a secure location"
Then click Done
You will be redirected to evil.com
An open redirect vulnerability exists in the affected products. An attacker could trick a validly authenticated user on the device into clicking a malicious link on the device, resulting in phishing attacks.