Wednesday 5 July 2017

Dropbox open redirect - Misconfigured Regex

After reading Geekboy's blog post:, it reminded me of similar(cause of the) issue which I found at Dropbox. 

The bug which I found was a open-redirect at .

Note that:

  • Changing "cont" with any domain didn't worked.
  • Changing "cont" with any domain didn't worked.

I then checked with, and it worked.

So what could be root cause of this bug?

The only possible cause I can think of is misconfigured Regex
For the sake of better understanding lets consider a simple vulnerable regex:
  • This /dropbox\.com$/ regex will always return true for all #{anything} domains.
  • In Geekboy's case, the regex could be similar to this one: /^www\.site\.com/, so this can be bypassed with{anything}.
The above two cases can be fixed by just adding ^ and $ in regex:
  • /^dropbox\.com$/
  • /^www\.site\.com$/

While looking for bypasses, always check:
  • validdomain.victim.comevil