Open Bug Bounty Community Forum

Spam404Online wrote:

x1admin wrote:if redirect via js we accept xss

Interesting though since it's arguably not an XSS vulnerability on the website.

I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.

As long as you can redirect it to a uri instead of an actual website i'd class this as xss, theres a reason google hasn't patched the open redirect vulns on their site because it doesnt allow a redirect to data: or a javascript: url

Spam404Online wrote:

x1admin wrote:if redirect via js we accept xss

Interesting though since it's arguably not an XSS vulnerability on the website.

I see it as misinformation in fact as reporting the vulnerability to the website owner would trigger them to patch the open redirect vulnerability.

OWASP considers it as XSS.
Also you're saying this like its a bad thing that someone would be prompted to patch an open redirect.

see here: https://www.owasp.org/index.php/XSS_Fil ... using_data
and here: https://www.owasp.org/index.php/XSS_Fil ... XSS_vector

Lewis wrote:As long as you can redirect it to a uri instead of an actual website i'd class this as xss, theres a reason google hasn't patched the open redirect vulns on their site because it doesnt allow a redirect to data: or a javascript: url

That's a good example with Google. I guess I see why they're considered XSS

ret2libc wrote:OWASP considers it as XSS.
Also you're saying this like its a bad thing that someone would be prompted to patch an open redirect.

That's not what I'm saying. I simply meant if the open redirects were patched with validation etc it would inadvertently patch the XSS vulnerability too

But, thanks for sharing the OWASP links and like I said to Lewis, I can now see why they're considered XSS. I'm fairly new to app sec so discussions like this are very beneficial for me!