I believe I may have stumbled upon something juicy, I just don’t know how to further exploit. When going to “subdomain.domain.com”, if you place a “.” at the end of the domain, I noticed it redirects you to “otherdomain.com”. I tried various methods to redirect it to a domain of my choosing, but all attempts failed. I continued playing around with the request in Burp and noticed something interesting:
GET /embeddable_blip?type=userAction&data=largebase64string HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept-Encoding: gzip, deflate
When you decode the base64 string in the “data=” parameter, its serialized data as follows:
This is definitely over my head as a beginner and I honestly don’t know if this is normal behavior. If so, feel free to laugh I tried messing with the “url” and “args” options in the serialized data, re-encoding and replaying the request, but nothing is happening. I thought of Open Redirects and possibly RCE. I think I just may have thought in my mind that there may be something juicy, but I’m honestly not sure at this point. Either way, thank you for any points in the right direction!