Prial Islam

Zerocopter External link bypass

External link warning page bypass in Zerocopter

Description: is a bug bounty platform for Ethical hackers just like Hackerone. In Zerocopter reports, users can use Markdown. Users are also allowed to give external links in reports. If a user clicks on the External link in reports then it takes the user to an external warning page like the below screenshot

Zerocopter external warning page
Zerocopter external warning page

But I was able to bypass the external warning page and redirect a user to an external link without any warning page by using Markdown

[Click Me](http:1249723505)

Note: In the above markdown 1249723505 this is the IP of [ ] converted into Long/Decimalusing this tool.

  • In a report I used [Click Me](</code> this markdown and the response was :
    <a href="/external_redirect?" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I used [Click Me]( this markdown and the response was
    <a href="/external_redirect?href=http%3A%2F%2F74.125.68.113" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I thought let’s mess up with the Protocol and changed the markdown to [Click Me](http:/ and still no bypass.
  • Then I was about to use [Click Me]( but I accidentally used [Click Me](http:google) where I forgot to give .com TLD at last in domain name in the markdown and I noticed a hope in response
    <a href="http%3Agoogle" rel="noreferrer" target="_blank" title="">Click Me</a>
  • By analyzing the behavior I got that if I use a domain name like http:google then I can bypass the external warning page. Then I remembered the IP Long/Decimal encode.
    So I used this tool to encode IP to Long/Decimal** and the final markdown become [Click Me](http:1249723505) and bingo 😎

    <a href="http%3A1249723505" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Now when a user will click on the link it will take the user directly to instead of the external warning page. Then I reported this to Zerocopter on their responsible disclosure page and they fixed it and send me a Cool T-shirt and stickers as a reward.
Cool T-shirt and stickers as reward
Cool T-shirt and stickers as reward

Thanks for reading. Hope this will be helpful for you guys.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

LFI to RCE 🔥 Read More

Nov 28 2021, 11:54 pm

@HackerGautam I have done diploma in Power Engineering and doing bug bounty 🤲😷 Read More

Nov 26 2021, 8:13 am

@disclosedh1 @Sachin_kumar174 Great find :D Read More

Nov 21 2021, 8:36 pm

Thanks @Sony ❤️ #BugBounty Read More

Nov 17 2021, 2:28 pm

Well Explained 🔥 Read More

Oct 18 2021, 9:20 pm

@0Porosh @thejulfikar @AkashHamal0x01 @remonsec As there is users confirmation required it will be considered as... Read More

Oct 15 2021, 10:06 pm

Recent posts