alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~248~~	Closed	~~DOM-based Open Redirection on www.alwaysdata.com~~	Deepak7740	Task Description Summary A DOM-based Open Redirection vulnerability was identified on the target application. The issue allows an attacker to manipulate client-side JavaScript to redirect users to arbitrary external domains. This can be exploited for phishing, social engineering, or chaining into more severe attacks. Affected URL https://www.alwaysdata.com%2f@evil.com/ Steps to Reproduce Navigate to the following crafted URL: https://www.alwaysdata.com%2f@evil.com/ Observe that the application’s client-side code interprets the encoded path (%2f) and @evil.com portion incorrectly. The browser resolves the URL in a way that causes redirection to the attacker-controlled domain (evil.com). This behavior occurs without server-side validation, indicating a DOM-based flaw. Impact Phishing attacks: Users can be tricked into believing they are visiting a trusted domain ( www.alwaysdata.com ) but are redirected to a malicious site. Session hijacking: If combined with other vulnerabilities (e.g., cookie theft, XSS), attackers can escalate impact. Reputation damage: Users may lose trust in the brand if exploited in phishing campaigns. **Recommended Fix Implement strict validation and sanitization of client-side URL parameters. Use a whitelist of allowed redirect domains. Encode and validate user-controlled input before processing in JavaScript. Avoid relying on DOM methods (location, document.URL, etc.) without proper sanitization.

~~248~~

Closed

~~DOM-based Open Redirection on www.alwaysdata.com~~

Task Description

Summary

A DOM-based Open Redirection vulnerability was identified on the target application. The issue allows an attacker to manipulate client-side JavaScript to redirect users to arbitrary external domains. This can be exploited for phishing, social engineering, or chaining into more severe attacks.

Affected URL https://www.alwaysdata.com%2f@evil.com/

Steps to Reproduce
Navigate to the following crafted URL:
https://www.alwaysdata.com%2f@evil.com/

Observe that the application’s client-side code interprets the encoded path (%2f) and @evil.com portion incorrectly.
The browser resolves the URL in a way that causes redirection to the attacker-controlled domain (evil.com).
This behavior occurs without server-side validation, indicating a DOM-based flaw.

Impact

Phishing attacks: Users can be tricked into believing they are visiting a trusted domain ( www.alwaysdata.com ) but are redirected to a malicious site.
Session hijacking: If combined with other vulnerabilities (e.g., cookie theft, XSS), attackers can escalate impact.
Reputation damage: Users may lose trust in the brand if exploited in phishing campaigns.

**Recommended Fix

Implement strict validation and sanitization of client-side URL parameters.
Use a whitelist of allowed redirect domains.
Encode and validate user-controlled input before processing in JavaScript.
Avoid relying on DOM methods (location, document.URL, etc.) without proper sanitization.

Showing tasks 1 - 1 of 1 Page 1 of 1

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task