'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
HackenProof Disclosed Report
Bug bounty report HackenProofBypass of External Link Warning via Markdown Image Link in Bio Section
Vulnerability Details
Hi HackenProof Team,
I hope you’re doing well! While exploring the Bio section on the HackenProof platform, I noticed a way to bypass your external link warning mechanism. I understand that open redirects are listed as out of scope, but I believe this specific case is worth sharing as it affects user safety and could be abused for phishing or malicious file delivery/download
Vulnerability Overview
In the Bio section, users can write in Markdown. When inserting a normal link, such as:
[Link text](https://dashboard.hackenproof.com/redirect?url=https://example.com)
…it is correctly converted to:
https://dashboard.hackenproof.com/redirect?url=https://dashboard.hackenproof.com/redirect?url=https://example.com
When clicked, this triggers the "Attention! You’re leaving HackenProof" warning screen — a good safety measure to inform users before they navigate away.
⚠️ The Bypass
However, the warning can be bypassed using a Markdown image link. For example:
[](https://www.evil.com)
In this case:
- The preview broken image is loaded from the HackenProof redirect endpoint.
- When a user clicks , they are taken directly to
https://www.evil.comwithout the warning page appearing.
💡 Why This Matters
- Attackers could use this to make malicious links appear trustworthy by leveraging the HackenProof domain.
- Users might be tricked into downloading malicious files, opening phishing sites, or visiting other unsafe resources without realizing they’ve left HackenProof.
- The bypass undermines the intended safety feature.
🛠 Suggested Fix
- Sanitize Markdown to ensure that links inside image tags also go through the redirect warning flow.
- Alternatively, block clickable images from linking to external URLs or wrap them in the same verification step.
Please Read The analyst .This is Bypass of the direct Open Redirect Thanks For Understaning
I’m sharing this in the spirit of improving the platform’s user safety. I know this may fall outside the official bounty scope, but I think fixing it will help maintain user trust.
Best regards, unixtz
Validation steps
📎 Proof of Concept
- Edit your Bio.
- Insert the Markdown:
[](https://www.evil.com)
- Save the Bio and view your profile.
- Clicking the image takes you directly to
https://www.evil.comwithout the warning popup.
Comments on this report are hidden 
Details 
Participants (4) 
