Open Redirect #10319
Labels
Comments
|
This was previously reported in #9992 and it was resolved upstream in |
|
Ah nice to know thanks. I didn't find 9992, sorry for the dupe. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I think there's an open redirect vulnerability in nuxt.js.
As proof of concept you can use (almost) any nuxt based site, just run $nuxt._router.push("///aaa") in the console.
This manifests as httpx://legitdomain.tld///maliciousdomain.tld redirecting to httpx://maliciousdomain.tld in many nuxt.js based websites.
This kind of client side open redirect is almost only useful for phishing.
Imagine users of a bank get phishing mails with very convincing links like
httpx://legit-domain-of-bank-that-uses-nuxt.com///secure-bank-customer-login.ooo
Some users might enter their bank details at httpx://secure-bank-customer-login.ooo which is not the original domain.
I am not familiar with Nuxt that much, but I believe that by default domain///anotherdomain works.
What always seems to work is getting /// into the nuxt router through the websites custom code.
I'm sorry that I have to report this publicly, but I have written 3 mails and didn't get a response for ~8 weeks.
Steps to reproduce
Visit httpx://legitdomain.tld///maliciousdomain.tld
What is Expected?
Normalization to httpx://legitdomain.tld/maliciousdomain.tld
What is actually happening?
Redirection to //maliciousdomain.tld
The text was updated successfully, but these errors were encountered: