Description:
zerocopter.com is a bug bounty platform for Ethical hackers just like Hackerone. In Zerocopter reports, users can use Markdown. Users are also allowed to give external links in reports. If a user clicks on the External link in reports then it takes the user to an external warning page like the below screenshot
But I was able to bypass the external warning page and redirect a user to an external link without any warning page by using Markdown
<http:1249723505>
[Click Me](http:1249723505)
Note: In the above markdown 1249723505
this is the IP of google.com
[ 74.125.68.113 ] converted into Long/Decimalusing this tool.
Reproduce
- In a report I used
[Click Me](http://google.com)</code>
this markdown and the response was :<a href="/external_redirect?href=http%3A%2F%2Fgoogle.com" rel="noreferrer" target="_blank" title="">Click Me</a>
- Then I used
[Click Me](http://74.125.68.113)
this markdown and the response was<a href="/external_redirect?href=http%3A%2F%2F74.125.68.113" rel="noreferrer" target="_blank" title="">Click Me</a>
- Then I thought let’s mess up with the Protocol and changed the markdown to
[Click Me](http:/google.com)
and still no bypass. - Then I was about to use
[Click Me](http:google.com)
but I accidentally used[Click Me](http:google)
where I forgot to give.com
TLD at last in domain name in the markdown and I noticed a hope in response<a href="http%3Agoogle" rel="noreferrer" target="_blank" title="">Click Me</a>
- By analyzing the behavior I got that if I use a domain name like http:google then I can bypass the external warning page. Then I remembered the IP Long/Decimal encode.
So I used this tool to encode google.com IP to Long/Decimal** and the final markdown become[Click Me](http:1249723505)
and bingo 😎<a href="http%3A1249723505" rel="noreferrer" target="_blank" title="">Click Me</a>
- Now when a user will click on the link it will take the user directly to google.com instead of the external warning page. Then I reported this to Zerocopter on their responsible disclosure page and they fixed it and send me a Cool T-shirt and stickers as a reward.
Thanks for reading. Hope this will be helpful for you guys.
Post Views:
2,528