HackerOne: Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session

2016-01-21T04:41:43
ID H1:111968
Type hackerone
Reporter zombiehelp54
Modified 2016-02-24T10:55:14

Description

Hi guys , I have found a way to use the open redirect vulnerability that zendesk refused to fix and we discussed it in #101146 to bypass intristial redirect. in #101146 , @bencode said : > I tend to agree with Zendesk, we don't really see any security issues with it. We use our interstitial to warn the user and it's clear you are on a separate site.

Well , using this issue I could bypass the interstitial redirect.

PoC:

Clicking here will bypass interistial redirect and get you on evil.com

The link is https://hackerone.com/zendesk_session?locale_id=1&return_to=https://support.hackerone.com/ping/redirect_to_account?state=compayn:/ which is used to redirect to generate a zendesk session. This can be fixed from your end , by detecting the /ping/redirect_to_account in the return_to parameter. Thanks