Open Redirect at Nvidia
Hi everyone , I’m Mohamed Abdelhady.
At first I gonna explain What Open Redirect is ?
So, we already should know what Open redirect is. For someone who doesn’t it is when remote attacker can set arbitrary value as a redirect destination.
https://domain.com/any_endpoint?redirectUrl=https://app.domain.comWhich in the end leads to app.domain.com. But what if someone malforms this URL into the following:
https://domain.com/any_endpoint?redirectUrl=https://evil.comThat will redirect to evil.com .
The Nvidia bug is similar to the previous
https://subdomain.nvidia.com/PATH?vuln-paramter=https://subdomain.nvidia.com/At first I found a URL parameter redirect to anther nvidia subdomain. So I tried to change the subdomain to xthemo.com and it worked . Then I tried to check if I can escalate it to
https://subdomain.nvidia.com/PATH?vuln-paramter=https://xthemo.com/1-SSRF
I put my burp collaborator and clicked pull now button if the response was 200 than would be SSRF but unfortunately I found the response was 302 then means the nvidia website just redirect
https://subdomain.nvidia.com/PATH?vuln-paramter=https://burp-collaborator.net2-XSS
I tried to inject XSS payload like javascript:alert() and it’s bypasses but it didn’t work
https://subdomain.nvidia.com/PATH?vuln-paramter=javascript:alert()3-LFI
I tried to read internal files like hosts file using ?vuln-URL=C:/WINDOWS/System32/drivers/etc/hosts and LFI word list but unfortunately it didn’t get any content
https://subdomain.nvidia.com/PATH?vuln-paramter=C:/WINDOWS/System32/drivers/etc/hosts
