This bypass I found in a application while I doing pentesting. I hope it will helps you too!
While you I trying to redirect https://targetweb.com?url=http://attackersite.comarrow-up-right it did not redirected!
I Created a new subdomain with with www.targetweb.com.attackersite.com
And when I tried to redirect with https://targetweb.com?url=www.targetweb.com.attackersite.comarrow-up-right
It will successfully redirected to the www.targetweb.com.attackersite.com website!
Due to the bad regex it has been successfully bypass their protection!
@bishal0x01arrow-up-right
https://twitter.com/bishal0x01/status/1262021038080053248arrow-up-right
Last updated 5 years ago
Was this helpful?