Open Redirect 02

This exercise is one of our challenges on Open Redirect

PRO
Tier
Medium
< 1 Hr.
8863

Course


In this challenge, the redirect URL needs to start with a "/". The developer made the assumption that only a path/URI can start with "/". However, it is possible to bypass this mechanism by using "//". For this challenge, you may want to use another site than webhook.site as they do not automatically redirect "http://" to "https://". Otherwise, you can use the "https://" URL for this exercise.

In the provided PHP code, a variable $site is set and header.php is required. The redirect.php checks if the parameter $_GET["uri"] is set and starts with a single slash, escaping it with a backslash for regular expressions. If the condition is met, it returns a header with the location $_GET["uri"]. Otherwise, it defaults to the root ("/"). The issue lies in the regular expression, which allows a URI starting with "//" followed by a hostname, leading to an open redirect vulnerability.

Want to learn more? Get started with PentesterLab Pro! GO PRO