Vulnerability Summary
A base64-encoded query parameter on a login/terms acceptance page was decoded and used directly in window.location.href with only protocol validation — no domain check. The writeup covers tracing the vulnerable code in the Angular bundle, crafting the payload, and why the legitimate branding makes this particularly effective for phishing.
I found a DOM-based open redirect on an identity/SSO provider's terms acceptance page. The application uses a param query parameter containing a base64-encoded URL that gets decoded and assigned to window.location.href after the user accepts terms and clicks "Log In."
The only client-side validation checks the URL protocol (http:// or https://) but not the domain, allowing an attacker to redirect users to any external URL through a legitimate, branded login page.
pyus3rA Open Redirect vulnerability was identified within an OAuth authorization flow endpoint. The vulnerability occurs because the callback_url (or equivalent redirect parameter) is validated using an insecure string prefix match instead of exact parsing.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3599248 by marioniangi
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In