Hello. This finding was closely related to the https://hackerone.com/reports/214620 , but used the flaw in the URL parsing on the CloudFlare error page.

Maybe this finding does not worth a blog post, but it was not disclosed, and I need some practice in the blogging:)

So I found this curious bug when researching domain hacker.one
When the host, connected to Cloudflare, is offline or experiencing connection timeout, default Cloudflare page is shown.

However, if the link has the next format: http[s]://host//malicious_host – it will be shown on the page as (example):

This page (https://hacker.one//google.com) is currently offline.

But when the user will click this link – he will be redirected to the host google.com instead original hacker.one

Why did that happen?
The generated link takes to the href tag the second part of the URL (query):

http[s]://[host]/[query]

transforms to:

<a href="/[query]" ...

So, if the [query] has / in the beginning, we will get redirected to another host.

So far it is affecting all CloudFlare users, who have for some reasons «Connection timed out» page on their website, it could be a problem.

So, how this can be exploited? Obviously, we have Unvalidated Redirect with user interaction (user must click the link), which itself has a very low impact. But, it could be very useful in the oauth bypasses, when the attacker is able to use such URL as redirect_uri – in this case, code or token will be appended to the URL:

https://example.com//attacker.com?token=xxxx

=>

//attacker.com?token=xxxx

CloudFlare fixed this bug by implementing URL normalization.

Timeline:

• Apr 7, 2016 – initial discovery, report through HackerOne
• Apr 26, 2016 – issue was fixed by CloudFlare