Post

Responsible Disclosure — Open Bug Bounty Outstanding Security Research Award

Summary of my responsible disclosure work reporting reflected XSS and open redirect issues (CVE-2021-32478) across education and learning sites worldwide, coordinated via Open Bug Bounty.

Responsible Disclosure — Open Bug Bounty Outstanding Security Research Award

Legal / ethical reminder: Misusing these techniques against systems without permission is illegal. All findings described below were reported responsibly and remediated where possible.

Executive summary

Between September and November 2023 I ran a coordinated responsible-disclosure effort focused on web issues in education and learning platforms. Over the course of this work, I reported over 600 issues through Open Bug Bounty and related channels; my coordinated discoveries contributed to 151+ verified fixes acknowledged by Open Bug Bounty.

I did not receive monetary bounties from Open Bug Bounty for this work, the value was in learning, coordinating fixes, and helping keep student data safer.

Interactive map

Asif Minhas – Responsible Disclosure | Open Bug Bounty 2025


What I found (high level)

The majority of the accepted reports that are accepted by Open Bug Bounty fell into the following five categories:

  • Reflected Cross-Site Scripting (XSS)
  • Open Redirect
  • Cross-Site Request Forgery (CSRF)
  • Improper Access Control
  • GDPR / PII exposure

I focused on finding:

  • Cross-Site Scripting (XSS)
  • Open Redirect (typically via redirect_uri parameters)

My research focused on identifying learning platforms, primarily Moodle instances, that had not applied the security patch for CVE-2021-32478. This 2021 vulnerability combines an open redirect with a reflected XSS in the LTI authentication module (/mod/lti/auth.php), and I found it remained unpatched on hundreds of systems in 2023.


Timeline & approach

  • First accepted report on OBB: 2023-09-07
  • Last submission in this batch: 2023-11-18
  • Method: I used a mix of automated discovery (Shodan, Censys, targeted Google dorks) and custom Python scripts to find candidate targets, then validated results manually to avoid false positives.

GitHub advisory & CVE


Proof-of-concept

Note: the examples below are sanitised for public consumption: they use example.com as a placeholder. Do not publish live PoCs that target active, unpatched systems, always route them through the disclosure process instead.

Reflected XSS:

https://example.com/mod/lti/auth.php?redirect_uri=javascript:alert(%27TEST%27)
https://example.com/mod/lti/auth.php?redirect_uri=javascript:alert(document.domain)
https://example.com/mod/lti/auth.php?redirect_uri=javascript:alert(document.cookie)

Open redirect:

https://example.com/mod/lti/auth.php?redirect_uri=https://google.com


Impact

When combined or used in login/SSO flows, reflected XSS and open redirects can:

  • Enable phishing that abuses legitimate looking login redirects
  • Exfiltrate session tokens or cookies (depending on same-site policy and CSP)
  • Allow attacker controlled scripts to run in the context of an educational site (risking student data or grade disclosure)

Remediation checklist

For developers and IT teams maintaining learning platforms:

  1. Allowlist redirect URIs — require exact-match redirect URIs per client, avoid accepting arbitrary external URLs.
  2. Contextual output encoding — never reflect untrusted input without encoding for the context (HTML/attribute/JS).
  3. CSP & cookie policy — implement CSP and set SameSite/Secure on session cookies.
  4. Least privilege & access control — verify every file endpoint and resource is properly authorised.
  5. Automated scanning + triage — run scheduled scans and feed results into a tracked ticketing workflow.
  6. Disclosure contact — publish a security contact ([email protected]) or a disclosure page to receive reports quickly.

Scope (TLDs / regions) — flags included where applicable

Below is the full list of TLDs I encountered during this research. If a TLD is country specific, I show the corresponding national flag emoji. If the TLD is generic / global, I mark it as Generic.

Note: flag emoji rendering depends on the platform/browser. If the flag does not render for a reader, it will appear as two letters (regional indicator symbols).

Country-Based TLDs with Continents

This vulnerability wasn’t isolated to one region. My research identified and helped secure vulnerable platforms across seven continents. The following tables break down the Top-Level Domains (TLDs) of the affected systems, showing the truly global reach of this responsible disclosure effort.

FlagTLDCountry / RegionContinent
🇬🇧.ac.ukUnited Kingdom (academic subdomain)Europe
🇦🇪.aeUnited Arab EmiratesMiddle East
🇦🇮.aiAnguilla (used by AI companies)North America
🇦🇷.arArgentinaSouth America
🇦🇺.auAustraliaAustralia
🇧🇩.bdBangladeshAsia
🇧🇪.beBelgiumEurope
🇧🇭.bhBahrainMiddle East
🇧🇬.bgBulgariaEurope
🇧🇷.brBrazilSouth America
🇨🇦.caCanadaNorth America
🇪🇸.catCatalonia (Spain region)Europe
🇨🇱.clChileSouth America
🇨🇳.cnChinaAsia
🇨🇴.coColombiaSouth America
🇬🇧.co.ukUnited KingdomEurope
🇨🇾.cyCyprusEurope
🇩🇪.deGermanyEurope
🇪🇨.ecEcuadorSouth America
🇪🇸.esSpainEurope
🇪🇺.euEuropean Union (regional)Europe
🇫🇯.fjFijiOceania
🇫🇷.frFranceEurope
🇬🇷.grGreeceEurope
🇬🇹.gtGuatemalaNorth America
🇭🇰.hkHong KongAsia
🇭🇺.huHungaryEurope
🇮🇴.ioBritish Indian Ocean Territory (tech/startup use)Asia
🇮🇳.inIndiaAsia
🇮🇶.iqIraqMiddle East
🇮🇪.ieIrelandEurope
🇮🇹.itItalyEurope
🇯🇴.joJordanMiddle East
🇯🇵.jpJapanAsia
🇰🇿.kzKazakhstanAsia
🇲🇦.maMoroccoAfrica
🇲🇪.meMontenegroEurope
🇲🇽.mxMexicoNorth America
🇳🇬.ngNigeriaAfrica
🇳🇱.nlNetherlandsEurope
🇴🇲.omOmanMiddle East
🇵🇰.pkPakistanAsia
🇵🇸.psPalestineMiddle East
🇵🇭.phPhilippinesAsia
🇵🇹.ptPortugalEurope
🇷🇺.ruRussiaEurope / Asia
🇸🇦.saSaudi ArabiaMiddle East
🇹🇭.thThailandAsia
🇹🇷.trTurkeyEurope / Asia
🇺🇸.usUnited StatesNorth America
🇿🇦.zaSouth AfricaAfrica
🇼🇸.wsSamoaOceania

Generic / Thematic TLDs

TLDPurpose / Theme
.academyEducation-themed
.appGoogle-managed secure TLD
.comCommercial / Global
.devDevelopers / Secure by default
.digitalTechnology / Generic
.eduEducation (commonly US .edu or national equivalents)
.educationEducation-themed
.infoInformational / Generic
.jobsEmployment / Career
.netNetwork / Infrastructure
.onlineOnline presence / Global
.orgOrganisation / NGO / Nonprofit
.schoolEducation-themed
.taxiServices / Business

Global reach & reflection

My security research led to securing the following continents of the world:

  • Europe
  • North America
  • South America
  • Middle East
  • Africa
  • Asia
  • Australia

I hope that I have contributed to making the online world a more secure and safe place.
In the future, I hope to continue expanding my security research to help more organisations strengthen their defenses.


Final words

I hope these coordinated disclosures helped reduce risk to students and staff.

Acknowledgements:
Special thanks to Open Bug Bounty for their coordination and for recognising my contribution with the Outstanding Security Research certificate.

Certificate of Recognition

Open Bug Bounty Outstanding Security Research Certificate

Certificate issued by Open Bug Bounty — Recognising 151+ verified fixes (2023)

Asif Minhas – Responsible Disclosure | Open Bug Bounty 2025 View Full Certificate (PDF)

This post is licensed under CC BY 4.0 by the author.