Instagram - Open Redirect Vulnerability

2019.09.09
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----------------[ Gotleeeeeeek ]----------------- [.] Instagram - Open Redirect Vulnerability [.] Date: 08/09/2019 [.] Remote: Yes [.] Risk: Med [.] Author: Gurzil [.] Contact: gurzil@t-online.de [.] Tested on: Mozilla/5.0 (Windows NT 10.0; Win64; x64) [.] Exploit : https://l.instagram.com/?u=[Open Redirect Vul]&e=ATNmQ90zIVHH2bhyiNN57ecxj5wspbOi6DVKRjfEm1XhaOcCEvrWZZBkAhFSO-dZFytOBNKI6muCFN-NYA -----------------[ Gotleeeeeeek ]----------------- | Description | #What is Open Redirect Vulnerability? Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs. When apps and web pages have requests for URLs, they are supposed to verify that those URLs are part of the intended page’s domain. Open redirect is a failure in that process that makes it possible for attackers to steer users to malicious third-party websites. Sites or apps that fail to authenticate URLs can become a vector for malicious redirects to convincing fake sites for identity theft or sites that install malware. Normally, redirection is a technique for shifting users to a different web page than the URL they requested. Webmasters use redirection for valid reasons, such as dealing with resources that are no longer available or have been moved to a different location. Web users often encounter redirection when they visit the Web site of a company whose name has been changed or which has been acquired by another company. -----------------[ Gotleeeeeeek ]----------------- | Proof Of Concept | when you put the website address in instagram account and save it , you can visit profile and use inspect element to see the link of redirection. this link have 2 parameters : &e=[Its Unknown String but it must exist to redirect ! ] ?u=[your website address]) done ! you can change parameter "u=[your website address]" -----------------[ Gotleeeeeeek ]-----------------


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top