Good day, everyone!
Atharv here from India. In hive.io, I discovered a security flaw. As a result, I decided to create a blog post about it.
A vulnerability I'll discuss isn't new; it's a well-known pattern among web developers. However, not many people considered it from a security standpoint, and I had never seen it discussed in any security paper, so I decided to bring it up.
What is an Open Redirect?
As a result, we should already be familiar with the term "open redirect." If you don't know, it's when an unauthorized person can set any value as a redirect destination. Consider the following “legitimate” redirect chain:
https://example.com/login?redirectUrl=https://app.example.com
Which leads to app.example.com in the end.But what if someone malforms this url into following:
https://example.com/login?redirectUrl=https://evil.com
You'll notice that the end destination has changed from app.example.com to evil.com. It's an open redirect vulnerability if the web app allows that URL change and we're eventually redirected to https://evil.com. This behaviour could be used with other vulnerabilities like SSRF to perform phishing attacks or steal access tokens from authentication flows. There are numerous things that can be done
Vulnerable URL : https://developers.hive.io//evil.com/..;/css
I reported this bug immediately to hive security. After a few days, The hive security team was able to resolve the issue.
Some dorks to finding Open redirection Vulnerability:
Please upvote if you learn something :)
Thanks.
Hello Atharv, Nice to see you here man. Thanks for contributing to Hive.io's security. While there are people who are stealing funds from other's accounts, we have people like you who are safeguarding this place with their skills and knowledge.
Welcome to Hive! I Have noticed that you didn't make your Introductory post. It would be great to know you a little bit more and what you exactly do. Make sure you use the #introduceyourself tag while making it. It will help you get some more attention.
Btw, I am from India too. Looking forward to reading your future posts. ✌🚀 Hive can use more talented people like you.
Posted Using LeoFinance Beta
Hello Finguru,
I am Atharv currently working as a security researcher. I am from Pune, Maharashtra.
Where are you from?
I am from New Delhi. Working as a freelance social marketer. ✌️
Do more of these posts!
Posted Using LeoFinance Beta
Thanks!
What a good technical eye friend, thanks for your contribution ...
Congratulations @hacktax! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :
Your next target is to reach 100 upvotes.
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOP
Check out the last post from @hivebuzz:
Welcome to Hive, and thanks so much for helping to protect this wonderful place :) I hope to see you here often :)
#dreemer
!PIZZA and !ALIVE
You Are Alive and have been rewarded with 0.1 ALIVE tokens from the We Are Alive Tribe, and it's paid for by the earnings on @alive.chat, swing by our daily chat any time you want.