InVision: open ███ect at https://projects.invisionapp.com

2015-06-06T02:41:46
ID H1:66239
Type hackerone
Reporter seifelsallamy
Modified 1970-01-01T00:00:00

Description

Hi guys, Url: https://████?█████= Vulnerable parameter: ████████ POC: go to https://████?█████=/%0a/example.com and login, you will be ██████ected to https://example.com this can be used by an Attacker to ██████ect an user to unsafe pages Eg: to a page looks like Invision login page exactly and let them login on a fake page to steal email and password
in hex '%0a' means "Return" another URL https://████████?█████=/%0d/example.com '%0d' can █████████ect to example.com too Thank You!