Hello world, Today I share how I detected a $$$$ Open Redirect Bug from a simple WhatsApp message. This can be detected on other platforms like Twitter, Facebook etc. Can test for any Url / website employing the use of Open Graph Protocol ( Don’t freak out yet, it is something you are used to).

Anyone from a web developers background is aware of The Open Graph protocol that enables any web page to become a rich object in a social graph.

What do I mean in simple terms? Ever pasted a url on a chat box and the link loads a thumbnail with a title and a description of the link? That is simply what Open Graph Protocol does!!

Have a look at Open Graph Protocol: https://ogp.me/ , https://developers.facebook.com/docs/sharing/opengraph

Now how did this hint me for open redirect?

( I have replaced the vulnerable urls with redacted.com)

Basically when you paste a url for lets say twitter.com , It loads up the twitter Open Graph Tags or the “og” attributes of its primary html page.

Now if anything else apart from twitters description,webpage title ,thumbnail and url loads up , It means that the general destination of the url pasted is to the site whose Title loads up!!

Practical Perspective of that:

Now I paste the link: https://twitter.com on a whatsapp text box and before I press send ; It preloads to:

That is because of the Open Graph Protocol. (Read details of the “og” attributes from the links on the introduction of this write-up)

Now I have another link:

https://redacted.com/?redirectUrl=astralecorp.com/xss.html

That preloads to:

This tells you that the genaral destination of the url is to Google: google.com and means they have an open redirect protection in place.

And indeed it redirects to: google.com

Open redirect could simply be protected by Content Security Policies so you can try bypass that ( This writeup is not about the bypass)

Now I have yet another url on an ASP Net Web framework:

(sm in the url replaces something that can be dorked to give the original target so I replaced it)

https://www.redacted.com/www/sm/sm/test.astralecorp.com/xss.html

The URL preloads to:

This tells you that the final destination of the url is to : https://test.astralecorp.com/xss.html

That is when I knew I have Open Redirect with me and Indeed loading up the url redirects to: test.astralecorp.com/xss.html and I get the XSS POC

See: It is that simple to detect Open Redirect

WHAT IF I HAD NOT USED WHATSAPP PRELOAD TO DETECT IT?

Well, I first noticed the bug within few mins of being invited to the program during recon when I noticed the use of: utm_source=&utm_medium=redirect&utm_campaign=

The utm_source is a great hunting ground for SSRF , XSS and Open Redirect

You can see reports of such on Hackerone: https://hackerone.com/hacktivity?querystring=utm&filter=type:public&order_direction=DESC&order_field=latest_disclosable_activity_at&followed_only=false&collaboration_only=false

How did I notice it so fast??

I used the wayback machine: https://web.archive.org/

That is after Alien OTX:(https://otx.alienvault.com/) failed to give me urls.

Analysing the urls one by one I notices the endpoint and when saving the finding to my whatsapp personal chat inbox for later reference I noticed the preload and knew I got it!!!

The “og” attributes in html helped me notice the bug quickly

The writeup may feel not extensive but if you have any questions contact me on twitter .

Thank you