senate.gov open redirect vulnerability poc 2

Hello folks! Today I want to share with you official senate.gov open redirect vulnerability. This is actually a very basic example of open redirect vulnerability.

Open redirect issue makes the official US Senate website open to the phishing campaigns.

Details of senate.gov open redirect vulnerability

Actually there is no technical thing to talk about. This is very simple open redirect issue on very important website of US Government.

iqClickTrk.aspx has a parameter called redirect that gets the URL and directly redirect to it without checking the URL.

PoC : https://outreach.senate.gov/iqextranet/iqClickTrk.aspx?redirect=https://mustafakemalcan.com

I tried to communicate with the webmaster(?) but he/she doesn’t give any kind of response to me. Webmaster didn’t patch the issue though.

02.07.2019 – I sent the first email but got no response.

02.16.2019 – I sent the second email but got no response.

02.26.2019 – I sent the third email but still got no response.

04.09.2019 – Disclosure date.