After doing some extensive recon in a wide scope target and checking alive web servers one by one, there was web server that had lots of endpoints and things to play with, therefore, after taking a look at one of the redirect pages, it seems to allow redirect by allowing user-controlled source manipulation which was scalable to DOM XSS.
After taking a look to my BurpSuite history, there was a page that allowed redirects that displayed the following response.
It seemed like by using the
redir parameter, users are allowed to be redirected which proved to be vulnerable to Open Redirect, but by using something such as
Therefore, by using DOM Invader, it was possible to find the flaw where by inserting the payload
As you can see, the payload seems to be executed in line
88. So, looking at the source code proceeding to go to line 88 where it will show where the message is being generated wherein line
87 we can see that the parameter is passed as a URL in form link: url in the Eloqua form query according to the comments in line
Then, in line
116 under function
url is being triggered by defining it with the attacker-controlled source
location.href which leads to executing the payload when performing redirect as the following:
After finding the root cause and sending the report, the vulnerability got accepted with three stars in the report due to report writing.
As zseano’s methodology mentions , it’s important to map the web application and take a look at different kinds of functionalities. If you find an open redirect, might be scalable to XSS, and if it’s not reflecting on the DOM, it can be a DOM XSS which Synack tends to reward more for such flaws.