Open Url Redirection Vulnerability in Bing


Bing is a 2nd world most used search engine besides Google. It is owned by the tech giant Microsoft. It’s a great place to find news and other stuff. So for a website, bing is an important source of traffic. That’s why I was working on SEO for my website at  But found an Open URL Redirection vulnerability in Bing. In those days, we made the Sprotechs Forum. I was not in the mood to find vulnerabilities. Simply I was working on SEO on bing to index my website. When you are bored your mind want something new.

For indexing website in Bing, you have to visit the Bing-Webmasters Tool. Here, you need to enter your website and followed by sitemap etc. So I followed the same process for my own my website. When I was going to submit my website, I saw something that grab my evil intentions. It was the URL:

At first, I tried to convince myself “it’s nothing just a waste of time”. But my curious mind keeps on whispering “let’s try it!”.

Bing Webmaster Tool
Bing Webmaster Tool

I changed the parameter to

 After this, I did the same method which I was doing for submitting my website. When I clicked add, BOOOOM redirected to I was very happy, I think that day was lucky for me.

I reported Microsoft for this vulnerability and they triaged the report. The vulnerability has been fixed now. While writing this post, I guess some of my readers will think the report must be a professional type or something like that. But it goes with steps of finding the vulnerability and reporting to Microsoft. Maybe it proves helpful for newbies.


Open URL Redirection attack process
Open URL Redirection attack process
1. Login
I logged in to Bing – Webmasters Tools here:
2) When I signed in, I got a form with the title ‘Add a Site’, With the URL:
3) Change the host for checking request here:
And that’s it.

Open URL Redirection

Open Url Redirection is a vulnerability where you can redirect the website to a malicious webpage. Like here I redirected to my own domain. it’s just a basic definition. The attacker can easily launch phishing attacks, scam people and much more. Search in OWASP about Open URL redirection for deep information.

Video POC:

I’ve also found SSRF vulnerability in Bing. It’s also been reported and fixed. Stay tuned next write-up will be about SSRF in bing.