Khan Academy: RTL override char allowed at https://www.khanacademy.org/computer-programming/link_redirector?url=*

2019-07-12T16:29:52
ID H1:641640
Type hackerone
Reporter red_assassin
Modified 2019-08-02T21:57:22

Description

Summary

Attacker can embed RTLO character at the following URL https://www.khanacademy.org/computer-programming/link_redirector?url= to trick the user to download suspicious files.

Steps to reproduce

Additional Payloads

Attacker can even spoof the domain name by adding the following value to the url parameter https://google.com@%E2%80%AE@moc.rettiwt {F527754} When the user will click on the link the user will be redirected to https://moc.rettiwt/ which is a completely different host.

I have also tested some other malformed URLs which can fool user to redirect to other hosts https://google.com@"twitter.com https://google.com@'twitter.com https://google.com@/twitter.com https://google.com@'#twitter.com (Different domain)

Mitigation

Filter out all the unnecessary special symbols from the URL along with the RTLO char.

References

#299403 #298 RIGHT TO LEFT OVERRIDE

Impact

  • This can be used to spoof URLs on khanacademy.
  • can be used to fool users to download malicious files.