An unreproducable bug due to the load balancer, an unusual Open Redirect bug

Note that some of you may have read it since this is a bug bounty writeup from my old blog (I deleted them last year while I took a long break from bug bounty hunting).

This writeup is posted for educational purpose and no real program name and / or endpoints are being disclosed. I will use example.com doman in the reproduce steps.

I found an Open Redirection bug accidentially while testing a private program man web application. This website was supposed to redirects any endpoint from www-prefix to non-www version. For example, visiting:

www.example.com/page1.php

Will redirect user to:

example.com/page1.php

But for some reason (honesty I am not from software development field) I believed that the developer extracted the URL path:

www.example.com/page1.php

Into an array:

[www.]
[example.com]
[page1.php]

And then connect each of them (except [www.]) before the redirection. They forgot to add '/' between the original path and the server redirected the user to:

example.compage1.php

As I don't have any web development skill I was not sure why they did this. It should not be that hard to just redirect user to non-www version of a URL (I guess they used this data for an analytic work). So I filed a report with a quick PoC:

Steps to reproduce:

- Visit www.example.com/evil.com
- You will be redirected to example.comevil.com

On next day the program team member could not reproduce the bug. I tried to go to the PoC again and now it correctly redirected me to example.com/evil.com

Now you may think that someone has fixed this but after several atempts on this same URL (I sent the link to the Burp Repeater and keep pressing the Enter key) I noticed that sometimes my PoC worked (and most of the time it didn't).

I gave this information to the team and we had a conclusion that I just (luckily) hit one of the loadbalancer servers which incorrectly implemented non-www redirection. The bug was fixed (and bounty rewarded) within a week.

Comments