QIWI: [qiwi.com] Open Redirect

2014-12-03T20:25:50
ID H1:38157
Type hackerone
Reporter bobrov
Modified 2016-10-24T22:23:03

Description

PoC (Chrome): https://qiwi.com/main.action#/\google.com/

Уязвимый фрагмент кода: https://static.qiwi.com/js/qiwi_com/qiwi.min.js?v=3.3.9 if(this.wc.hash&&Aa(this.wc.hash,"#/"))return this.wc.href=this.wc.hash.substring(1).replace(/^\/+/,"/"),this;