Summary
redirect_url is treated as safe when url.Parse(...).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.
Details
url.Parse("//ikotaslabs.com") => empty Scheme, Host="ikotaslabs.com".IsAbs() returns false for //ikotaslabs.com, so the code treats it as allowed.- Browser resolves
//ikotaslabs.com to current-origin scheme (e.g. https://ikotaslabs.com), enabling phishing flows after login.
PoC
- Send or visit:
http://localhost/login?redirect_url=//ikotaslabs.com
- Complete normal login flow.
- After login the app redirects to
https://ikotaslabs.com (or http:// depending on origin).
Acknowledgements
This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan.
satoki Reporter
Summary
redirect_urlis treated as safe whenurl.Parse(...).IsAbs()is false. Protocol-relative URLs like//ikotaslabs.comhave an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.Details
url.Parse("//ikotaslabs.com")=> empty Scheme, Host="ikotaslabs.com".IsAbs()returns false for//ikotaslabs.com, so the code treats it as allowed.//ikotaslabs.comto current-origin scheme (e.g.https://ikotaslabs.com), enabling phishing flows after login.PoC
http://localhost/login?redirect_url=//ikotaslabs.comhttps://ikotaslabs.com(orhttp://depending on origin).Acknowledgements
This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML.
The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業),
administered by the Information-technology Promotion Agency (IPA), Japan.