Hey, ready to tackle some client-side hacking? The DOM Based Open Redirection lab is calling, and it’s a fun one! This lab’s got an open redirection flaw on pages like /dashboard.html or /profile.html, and your mission is to exploit it to redirect users straight to any website(ex. google.com). Since this is a DOM-based vuln, the action’s all in the browser’s JavaScript, which makes it a blast to mess with.
Table of Contents
What’s the Lab All About?
The DOM Based Open Redirection lab sets you up with a classic client-side challenge. On pages like /dashboard.html or /profile.html, there’s a JavaScript script that grabs a URL from the query string and tries to redirect the user there. The catch is, it’s supposed to check if the URL’s safe, but it’s not doing it right, leaving us a gap to sneak through. Your goal is to redirect users to google.com by playing with the URL in the browser.
To get started, head to /dashboard.html?next=https://example.com in your browser. You’ll likely see an error in the console saying something like “Invalid redirection URL detected. Redirect aborted.” That’s the script telling you it didn’t like your URL. Try the same thing on /profile.html?next=https://example.com to see if it behaves the same way. The DOM Based Open Redirection lab is all about figuring out how to bypass that check and land on google.com, so let’s dig into the code to see what’s up.
Here’s the lab lowdown:
- Category: Open Redirection
- Challenge: DOM Based Open Redirection
- Goal: An open redirection is present on /dashboard.html or profile.html exploit it to redirect user on any website
- Setup: A browser-based login system with a redirection flaw
Digging into the JavaScript to Spot the Flaw
Since this is a DOM-based vuln, the key to cracking the DOM Based Open Redirection lab is in the JavaScript running on the page. Right-click on /dashboard.html, hit “Inspect,” and jump to the Sources tab—or just view the page source—to find the JS code. You’ll see a script that listens for the DOMContentLoaded event, pulls the next parameter from the URL’s query string (like ?next=https://example.com), and checks if it starts with an “allowed” domain, iha089-labs.in. If it matches, it redirects with window.location.href = nextURL; if not, it logs that error we saw.
Here’s where it gets juicy: the script uses nextURL.startsWith(allowedDomain) to check the URL, but startsWith only looks at the beginning of the string. That’s our way in! If we can make our next value look like it starts with iha089-labs.in but actually point to google.com, we’ll bypass the check and win the DOM Based Open Redirection lab. Let’s craft some payloads to make that happen.
Crafting Payloads to Redirect
Time to get hands-on and exploit the DOM Based Open Redirection lab to hit any website(ex. google.com). Here’s how to test payloads and work your way to victory:
1. Start with the Basics
First, let’s try a simple redirect: /dashboard.html?next=https://google.com. The script will probably block it, showing that “Invalid redirection URL detected” error in the console since https://google.com doesn’t start with iha089-labs.in. Test the same on /profile.html?next=https://google.com to confirm the behavior. This tells us we need to get sneaky to get past the domain check.
2. Fool the Domain Check
Think about that startsWith check—it’s only looking at the start of the URL. What if we make our next value look like it begins with the allowed domain, but sneaks google.com in later? You’ll need to play with the URL structure to trick the script. Try something that starts with iha089-labs.in but ends up pointing to google.com. (I won’t spill the exact payload, bro, but think about how URLs can be formatted to mislead the script—maybe play with separators or characters that confuse the parser.)
3. Get Sneaky with Encoding
Encoding can be a game-changer in the DOM Based Open Redirection lab. Try encoding parts of your URL to mess with the script’s logic. For example, encode a slash (/) as %2F in your payload, like next=https://iha089-labs.in%2Fgoogle.com, to see if the script gets tripped up and redirects to google.com. You can also go for double encoding—like next=https://iha089-labs.in%252Fgoogle.com—to test if the script decodes it wrong and lets you through. Keep playing with encoding until you hit that Google redirect.
4. Try Some Weird URL Schemes
Since this is DOM-based, let’s test some oddball schemes to see what the script does. Use /dashboard.html?next=javascript:alert('yo') to check if the script lets you run a script (it might block this, but it’s worth a try). Or throw in a data: URL, like /profile.html?next=data:text/html;base64,PGh0bWw+PHNjcmlwdD5hbGVydCgnSGV5Jyk8L3NjcmlwdD48L2h0bWw+, to see if you can sneak in some HTML. These might not get you to any website, but they’ll help you understand how the script handles weird inputs in the DOM Based Open Redirection lab.
5. Test More URL Tricks
Don’t stop there—try adding query strings or fragments to your payload, like /dashboard.html?next=https://iha089-labs.in?redirect=google.com or /profile.html?next=https://iha089-labs.in#google.com. These might not work, but they’ll show you how the script parses extra URL parts. The key is to experiment with anything that might let google.com sneak through while looking “safe” to the script.
Tips
To master the DOM Based Open Redirection lab and nail that redirect to any website, here’s how to stay sharp:
- Keep Digging in the JS: Go back to the script whenever you’re stuck. Look for any other checks or quirks in how it handles the
nextparameter. ThatstartsWithmethod is your main target, so focus on tricking it. - Write Down Your Payloads: Jot down every payload you try, like
/dashboard.html?next=https://iha089-labs.in-something, and note what happens. Did it redirect? Did it error? This helps you figure out what’s working. - Think Like a Hacker: The script’s check is pretty basic, so get creative. Play with URL structures, separators, subdomains, or special characters to make your payload look legit while pointing to any website(google.com).
Keep at it, and you’ll crack that redirect before you know it.
The DOM Based Open Redirection lab is a killer way to get better at client-side hacking. By digging into the JavaScript on /dashboard.html or /profile.html, crafting tricky payloads, and experimenting with encodings and URL structures, you’ll figure out how to redirect users to any website. It’s all about outsmarting that startsWith check in the JS—get sneaky, and you’ll nail it! Jump into the DOM Based Open Redirection lab, mess around with some wild payloads, and level up your skills. Happy hacking, bro!