Categories
Bug Bounty

External link warning page bypass in Zerocopter

Description:

zerocopter.com is a bug bounty platform for Ethical hackers just like Hackerone. In Zerocopter reports, users can use Markdown. Users are also allowed to give external links in reports. If a user clicks on the External link in reports then it takes the user to an external warning page like the below screenshot

Zerocopter external warning page
Zerocopter external warning page

But I was able to bypass the external warning page and redirect a user to an external link without any warning page by using Markdown

<http:1249723505> 
[Click Me](http:1249723505)

Note: In the above markdown 1249723505 this is the IP of google.com [ 74.125.68.113 ] converted into Long/Decimalusing this tool.

Reproduce
  • In a report I used [Click Me](http://google.com)</code> this markdown and the response was :
    <a href="/external_redirect?href=http%3A%2F%2Fgoogle.com" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I used [Click Me](http://74.125.68.113) this markdown and the response was
    <a href="/external_redirect?href=http%3A%2F%2F74.125.68.113" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I thought let’s mess up with the Protocol and changed the markdown to [Click Me](http:/google.com) and still no bypass.
  • Then I was about to use [Click Me](http:google.com) but I accidentally used [Click Me](http:google) where I forgot to give .com TLD at last in domain name in the markdown and I noticed a hope in response
    <a href="http%3Agoogle" rel="noreferrer" target="_blank" title="">Click Me</a>
  • By analyzing the behavior I got that if I use a domain name like http:google then I can bypass the external warning page. Then I remembered the IP Long/Decimal encode.
    So I used this tool to encode google.com IP to Long/Decimal** and the final markdown become [Click Me](http:1249723505) and bingo 😎

    <a href="http%3A1249723505" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Now when a user will click on the link it will take the user directly to google.com instead of the external warning page. Then I reported this to Zerocopter on their responsible disclosure page and they fixed it and send me a Cool T-shirt and stickers as a reward.
Cool T-shirt and stickers as reward
Cool T-shirt and stickers as reward

Thanks for reading. Hope this will be helpful for you guys.