Posts

Showing posts from August, 2022

open redirect bypass

Image
                Simple Open Redirect Bypass. Was checking the login page for XSS and other stuff. noticed that the login page had one hidden parameter. " returnToUrl " Here, Application had some server-side protection which was checking user input URL's.  Payload : https://google.com : forbidden Payload : //google.com : forbidden Payload: https://142.250.188.4  :  forbidden   Bypass Payload: https: /// google.com https://example.com/something/do/login?returnToUrl=https: /// google.com 💜