How i was able to inject html content and Open Redirection

HTML Injection + Open Redirect!!!

 

Hello guies!!! , thanks for checking out my blog and i hope you have gained something good out of it. Please keep on visiting this blog for more updates.

Okay , this time i would say that this HTML injection / Open redirect leads to nothing as when i reported them they said that they are going to merge with another multinational company which won't allow they provide any bug bounty / goodies 😄😄😆😆.

This is one of the oldest finding because at that time i was just getting into WhiteHat business from a pure BlackHat. After being a few years in BlackHat , it pissed me off because people use to send me messages / email saying that please do SQL injection and take out the database and you send us database and we will pay you this amount(can't disclose the figure , but sure figure are big). Then when you were BlackHat , LOL world around you will be like deface pakistani sites and i was like dude common don't be a bunch of A holes altogether. So finally , I stepped into the WhiteHat World and to my surprise wow this world is far more better than any of the remaining HAT's world , people are really going to pay you money voluntarily , if you help them strengthen their security and i was like.....ohh!!! dude for my passion of hunting security bugs , they will pay me money OMG!!!

   Till from that day i haven't touched any BlackHat thing and kept my focus on becoming pure WhiteHat. I have been succeeded in becoming one till now but sometime when your reports gets N/A or Duplicate , it feels like , i should become a GREYHAT but than again , if one report get duplicate or N/A we should not loose hope.

Okay let's get back to our business of open redirects and HTML Injection(particulary Injection word is also a LOVE of bug hunters as it pays a lot if reported in proper time and POC 😀😉) . So i was here visiting this site and i found a parameter in which if i put any HTML Scripts / Tags than it was not being sanitized and it was directly being respond back from the server as it is. To people who want to have deep knowledge about this bug , see if a malicious user puts a html tag than it must be sanitized in the server end and it should break the codes in such a way that browser shouldn't be able to understand the codes to execute it , i.e, why many times htmlspecialchars() function is used to break "<" , ">" etc to sanitized code like &it; , &gt; which browser won't be able to understand and execute it.

So when i saw that in view source page the special chars are not being sanitized and it is being shown as it is sent  by the user , i thought that okay XSS is definitely a thing i will find. So i went ahead and used the script ""/><img src=x onerror=confirm(1);>"(the most common Tag that has been used from so long that no one even remembers) and to my surprise it didn't popped up a box and i was like....

So i went ahead and checked the source code and i found that , they have some how a filter in function that was actually eliminating any event handler being used and i was like...First thing first they have used a function to detect event handler and eliminate and they haven't used html_special_chars() function...

So i than finally decided to go ahead with HTML Injection and i was able to inject content to the page , i was even able to add images to the page and many other HTML Tags could have been used.
Than while i was testing different tags , i marked there is a parameter named "?return=/xyz/x.html" and i was like dude this might give me with another bug "The unvalidated open Redirect" and went ahead and tried with "?return=google.com" and i was like .....

Bang Unvalidated Open Redirect!!!

So here is POC for the above scenario....

STATUS:FIXED
 No Bounty

Thanks for reading!!! Good Luck for Bug Hunting...Do provide feedback / suggestion...