Task 1 of 3
Low Severity Alone — Critical When Chained
Open redirect is often dismissed as "low severity" — a standalone bug might pay $100–$300. But chained with OAuth it becomes a critical account takeover worth $10,000+.
In 2019, a researcher found an open redirect on accounts.company.com/login?next=URL. The same domain was a trusted OAuth redirect host. By pointing the OAuth redirect_uri at the open redirect endpoint, the auth code leaked to an attacker-controlled URL. The combined bug paid $12,500.
What is an open redirect?
# Intended use: redirect after login
https://app.com/login?next=/dashboard
# Open redirect: accepts any URL without validation
https://app.com/login?next=https://evil.com/phishing
# User logs in → lands on evil.com
# Looks legitimate — URL starts with app.comPhishing
Send a link starting with trusted domain. User trusts it, gets redirected to fake login page.
OAuth token theft
redirect_uri allows the trusted domain → open redirect leaks the OAuth code to attacker.
Referrer leakage
Redirect to attacker server — Referrer header may expose sensitive tokens from previous page.
1
Why is an open redirect on an OAuth callback domain a critical vulnerability?
Answer all 1 question to continue