NOVEL WEB Chapter 109: Pentesting 2
So the next thing he did was deploy the anonymity tools, and that meant using EIDOLUX, which is already activated.
However, it only worked for local traces.
If he connected to the internet now, his IP address, routing path, and traffic metadata could still be monitored.
That meant he needed network-level masking to stay fully hidden. To achieve full invisibility, he deployed a series of anonymity tools.
First, he initiated a multi-jump VPN tunnel, followed by Tor, and finally a randomized proxy chain designed to scatter his traffic across continents.
Thus, enhancing his cover, after that he spoofed his MAC address, adding noise to his canvas fingerprint, then altered the system agent string to resemble a test machine in Turkey running outdated Ubuntu.
He glanced at his current work on the computer screen, reading through the task description and the range of rewards being offered.
...
Work: Unvalidated Redirect Detection
Severity: Low
Category: Web Input Validation
Status: Open
Reward Range: $100 – $500
Description:
Identify and report any endpoint that performs URL redirection without properly validating the destination.
...
Now his task was to identify and report any endpoint on SocialHub that performed URL redirection without properly validating the destination.
Unvalidated redirects posed a serious risk, as they could be abused in phishing attacks by misleading users into trusting links that seemed to come from SocialHub.
This issue does not directly compromise accounts but creates a risk to brand trust and user safety, particularly when used in deceptive links or certain social campaigns.
In simple terms, he is going to look for a URL on SocialHub that allows anyone to redirect users to an external site without verifying if it is safe.
So instead of using Python, even though this is his favorite language, he must understand the need to let it go. But not completely let go.
What he has in mind now is Golang, also known as Go. It is an open-source programming language developed by Google and was officially launched in 2009.
It was crafted with a focus on simplicity, speed, efficiency, and ease of deployment.
Because of these strengths, Go is widely used in developing command-line tools, network services, web servers, and even cybersecurity utilities.
That is because the developers at Google which are Robert Griesemer, Rob Pike, and Ken Thompson found existing programming languages like C++ and Java lacking in certain areas, so they created Go.
Their aim was to achieve the performance of C while maintaining the readability of Python.
Go also focused on faster build times and easy deployment through static binaries.
Above all, they designed it to handle massive infrastructure, deliver fast APIs, and support simple concurrency for multitasking environments.
Jeff opened a new terminal window inside EIDOLUX. Instead of scripting in Python like he usually did, he chose to write this one in Go.
He then created a new file called redirect_scan_go and began typing by hand.
The program started with the basic structure of a Go application, importing necessary packages like fmt for output, net/http for making HTTP requests, and os in case he needed file-level operations later.
At the core of the tool was a function called checkRedirect. This function took two arguments: a base URL and a test URL.
It combined the two into a full request, then sent a GET request using a custom HTTP client.
He deliberately disabled automatic redirect following by overriding the CheckRedirect handler, forcing the client to return the raw response rather than follow the redirection.
The function will then analyze the HTTP response. If the response returned a status code of 301 or 302, which are both standard redirection codes.
It will check whether the Location header matched the test URL he had injected.
If it did, that meant the redirect was unvalidated, accepting and passing on an external destination without restriction.
The function will then return a true for vulnerable and false for safe.
In the main function, he defined a list of known redirect endpoints used by SocialHub, such as /redirect?next=, /go?url=, and /out?to=.
He also defined a fake test destination, https://razi.fake, which was a controlled placeholder used to simulate an attacker-controlled link.
…
After finishing the Go script, Jeff saved it under the name redirect_scan.go. The next thing he did was compile it into a binary using Go's built-in compiler.
This process converted his human-readable code into a lightweight, executable file that his system could run directly.
Once the compilation was complete, the resulting binary file was named redirect_scan. To keep things tidy and aligned with his usual naming style, he renamed the file to ghostcheck.
With the tool now ready, Jeff executed the binary and no arguments were needed.
Everything inside the program was already hardcoded: the target URLs, the test destination, and the behavior logic.
Once launched, the tool immediately began scanning the redirect endpoints he had chosen from SocialHub's web infrastructure.
These included known redirect parameters commonly used by the platform, such as those found in /redirect?next=, /go?url=, and /out?to=.
Each of these endpoints was automatically tested using a fake destination URL that Jeff had designated: https://razi.fake.
The purpose of this was to see if SocialHub would blindly accept and redirect to an external, non-trusted domain.
If it did, it would indicate an unvalidated redirect which is a known vulnerability, while it is not really critical, it could still be exploited in phishing attacks.
Inside the program, the main function being executed was designed to send an HTTP request to each target endpoint and observe the response.
If the response returned a status code like 301 or 302 and included a redirect to the fake destination, then the tool would log that URL as vulnerable. If not, the endpoint was considered safe.
Once the scan completed, the output confirmed what he is going to suspect.
Only one of the tested URLs, /redirect?next=, responded with an external redirect, confirming it was unvalidated.
The other two endpoints properly blocked or filtered the redirect attempt. That meant he had found one legitimate issue: a single unvalidated redirect vulnerability.
This kind of flaw doesn't give attackers access to systems or data, but it does allow them to craft deceptive links.
A user clicking a link that begins with "socialhub.com" might be unaware that it ultimately leads to a phishing site.
He knew the risks, so that is why even if small holes like this could be turned into weapons in the wrong hands.
And now, he needs to gather all the evidence so he can report it. Since one scan of one issue means one bounty can be claimed.
So he scanned one by one. As time passed, he continued to find more issues.
He solved each one quickly, with the help of Razi not only that his godly programming skills also did the work, making the fixer upper task very easy.
By the end of the hour, he stared at the numbers displayed on the terminal. The log summary told the story better than words could.
After scanning 1,726 endpoints, 64 vulnerabilities were confirmed, and 64 reports were prepared for submission.
Each report can be seen as RAZi had packed them with clear details.
The exact endpoint, the steps to trigger the redirect, the HTTP response showing the vulnerability, a clean proof-of-concept link, and a suggested fix.
Every one of them was readable by both human reviewers and automated systems.
What would've taken most security teams days or maybe even weeks, he alone had completed it in under sixty minutes.
He didn't even rush it. If he wanted to, the results would have been even more amazing.
While GhostCheck swept through the targets, he simply observed while doing some input sometimes to occasionally stepped in to verify an edge case or reclassify a tricky one.
The rest was automated and when it came time to submit, he didn't have to write anything by hand.
Because at the start when he launched GhostCheck, the Go compiled scanner he had custom built, tore through endpoints like a scalpel through silk.
It tested each one of them with precision. RAZi had already scraped over 1,726 redirect URLs across SocialHub's entire digital footprint from mobile APIs, forgotten beta environments, to third party subdomains buried deep in outdated sitemaps.
RAZi will then parse them, filter the duplicates, and handed them off to GhostCheck in neatly sorted batches.
The script ran at full throttle, sending silent requests to each endpoint with https://razi.fake embedded as the test payload.
By another twenty-minute mark, GhostCheck had scanned over a thousand endpoints.
But he didn't submit them just yet. Instead, he typed a quick command into RAZi's interface.
Within seconds, the AI gathered all the raw scan data which are the endpoints, response codes, timestamps, headers and began assembling them into a full report.
This document includes an executive summary at the top, followed by a table of contents for easy navigation.
Each vulnerability is detailed in a dedicated entry, providing the affected URL, a proof-of-concept (PoC) link, HTTP logs, and recommended fixes.
Additionally, timestamps, hash checks, and an internal reference ID system that designed by him which are integrated throughout for tracking and verification.
...
1st: Special thanks to 'Essos👑' – the GOAT of the month, for both the rewarding gifts and golden tickets! Much love, brotha!
2nd: Big thanks to 'Pat_funding👑' for the unwavering support since the very start of my journey and for the golden tickets and gifts!
3rd: Special shoutout to 'Devon1234👑' – The same GOAT of this month, for all the amazing gifts! You're absolutely RAD!