How I found Open Redirect on Hashnode.com

Good day to all Bug Hunters again I’m Jefferson Gonzales and today I will share my findings on Hashnode.com

On July 30 my friend Shuvam Adhikari posted a writeup on how he got a SWAG from Hashnode.com so after reading he’s writeup I also try to hunt on Hashnode.com and I found Open Redirect Vulnerability

When I login to Hashnode.com I found this parameter

https://hashnode.com/login?next=/settings

When I login my account it redirect me to

https://hashnode.com/settings

Then I change the value of ?next= parameter to http://google.com

https://hashnode.com/login?next=http://google.com

Then login again my account and it redirect me to Google.com this confirm that its vulnerable to Open Redirect, but I have a problem only google.com, github.com and facebook.com will work in redirection, if you put other domains it will not redirect but I found a way to bypass it using \\ double backslash

https://hashnode.com/login?next=\\evil.com

When I login my account it redirect me to evil.com and successfully bypassed

Hashnode Appreciation: