Open Redirection - QR Code Magic

Summary :

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

The cybersecurity community doesn’t put enough emphasis on Open Redirect Vulnerabilities because it is considered a simple flaw commonly connected to phishing scams and social engineering.

Description :

I have found an Open Redirection vulnerability in one of the public program of YesWeHack but it went duplicate. The mobile application was using a QR Code scanner to track the consignments (check package details). After somewhat research I found a blog on how a QR Code functionality can be exploited. In the blog it was exploited to XSS but in my case I was only able to escalate it to an Open Redirection vulnerability.

Duplicate

QR Code Scanner Briefing :

A QR code scanner is an optical scanning device that is able to read QR codes. Now-a-days many applications are using this feature, so it can be used for browsing websites, checking address details, payments, adding users etc.

Many applications have restricted the use of this feature to limited things. For example, the QR Code Scanner is implemented in Google Pay so it will only be used for sending and receiving payments, you will not be able to use it to surf the internet and if this feature is implemented on any browser then you will be able to surf the internet and will not be able to make payments. In my case the company didn’t restrict the use of its functionality to only track consignments and that thing lead to Open Redirection vulnerability.

How I found this vulnerability ?

  1. I registered on the target’s android application
  2. Then I found the QR Code scanner feature
QR Code Scanner

3. I went to https://www.the-qrcode-generator.com/ to generate a custom QR Code for Open Redirection vulnerability

QR Code - Open Redirection

4. After generating the custom QR Code I scanned it with the scanner of target’s android application and it got redirected

Proof Of Concept (Use full screen to view) : https://drive.google.com/file/d/1eXUMu9ZzN9aAUJ8pEyMM5vZsn3wTJgnt/view?usp=sharing

Why this happen ?

In my opinion,

This happened due to no restriction on what to scan. The scan should have been restricted to only track consignments and not to scan URLs. The XSS did not happened because it was not supporting “javascript URI”.

Issue Escalations :

  1. Open Redirection
  2. XSS (https://payatu.com/blog/nikhil-mittal/firefox-ios-qr-code-reader-xss-%28cve-2019-17003%29)
  3. SQLi (https://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php)

Impact :

An attacker can exploit this kind of and can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

Mitigation :

A proper fix would be having there company’s symbol in the QR Code just like WhatsApp and Instagram has it, so it will not scan any customize QR Code. Moving forward for another fix would be restricting the scan to its function only (track consignments in my case).

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Here Kitty! Hack Free Resources Generator

More reasons you can trust Firefox with your passwords

The importance of decentralization and freedom #MainframeForFreedom

Making the cyber world a safer and better place: an interview with W1ntermute

How Can Metadium Help Protect Our Personal Information?

The Easy Way to Share Passwords Securely

Announcement of NFT Mint

Ransomware with Python

Rapid7.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

SQL Injection - The File Upload Playground

Research on XML eXternal Entity Injection (XXE)-Cyber Sapiens Internship Task-10

Exploiting XSS to Steal Cookies (Portswigger Web Security Academy)

XSS Attacks