Open Redirection in Oauth
Thursday, August 02, 2018
By
Jitendra
Hi there,
I am fond of testing API. Whenever a bug bounty program launches their program first of all I look if they have an API or not. I have tested API of many websites like Mapbox ,Mediafire and found many issues.
Now I stumbled across a website I don't want to disclose the name of the website so lets call it example.com. Now in example.com you can create an application and can get data from the users. They have different scope like email, phone number, address etc.
Now they are using Oauth for all this. I created an application and started testing the same.
As soon as i created the application client_id and client secret was provided to me (intended).
Now application only allows https url as the redirect_uri. I white-listed an url and I was ready to go.
I have given the scope of email and tried the Oauth url they provided. Now what is actually going if you provide the wrong scope you will be redirected to the url given in the redirect_uri
Now according to RFC 6749
There is a website example.com and someone created an application with a white-listed url attacker.com
Now In the second paragraph of RFC6749 many dev misinterpret the word other than.
If the scope parameter is invalid then they directly redirect the user to that website without any interaction and thats how it works as on open redirect.
Now this can be used for phishing purposes or redirecting users to a malicious website
Now they say that this is how the Oauth works but actually if the scope is invalid then google and Facebook doesn't redirect their user to the website mentioned in redirect_uri facebook shows this type of error if the scope is invalid
Now after all this I reported this bug to example.com and they denied this by saying that this is how Oauth works. And after a long trail of comment they said we are going to operate our API according to RFC6749. thats it.
So everything is upto them if they want to make changes to protect their users of not.
Credits
http://blog.intothesymmetry.com/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
And the mitigations that were provided by John Bradley, Hannes Tschofenig you can found them here https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.txt
Thanks
Jitendra Kumar Singh(Team Computerkorner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
I am fond of testing API. Whenever a bug bounty program launches their program first of all I look if they have an API or not. I have tested API of many websites like Mapbox ,Mediafire and found many issues.
Now I stumbled across a website I don't want to disclose the name of the website so lets call it example.com. Now in example.com you can create an application and can get data from the users. They have different scope like email, phone number, address etc.
Now they are using Oauth for all this. I created an application and started testing the same.
As soon as i created the application client_id and client secret was provided to me (intended).
Now application only allows https url as the redirect_uri. I white-listed an url and I was ready to go.
I have given the scope of email and tried the Oauth url they provided. Now what is actually going if you provide the wrong scope you will be redirected to the url given in the redirect_uri
Now according to RFC 6749
If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI
If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" formatlets take a scenario
There is a website example.com and someone created an application with a white-listed url attacker.com
Now In the second paragraph of RFC6749 many dev misinterpret the word other than.
If the scope parameter is invalid then they directly redirect the user to that website without any interaction and thats how it works as on open redirect.
Now this can be used for phishing purposes or redirecting users to a malicious website
Now they say that this is how the Oauth works but actually if the scope is invalid then google and Facebook doesn't redirect their user to the website mentioned in redirect_uri facebook shows this type of error if the scope is invalid
So everything is upto them if they want to make changes to protect their users of not.
Credits
http://blog.intothesymmetry.com/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html
And the mitigations that were provided by John Bradley, Hannes Tschofenig you can found them here https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.txt
Thanks
Jitendra Kumar Singh(Team Computerkorner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Written by CK Admins
Computer Korner is an open knowledge sharing site, where the we try to share our experience with IT, Security, Networking, System Administration tasks faced in day to day life. Articles from visitors are highly appreciated. Contact Us at : Click Here
![Admin Login Page Finder [FIND HIM]](http://3.bp.blogspot.com/-GhtWWRl4-xU/UB0hynJzAQI/AAAAAAAAAlA/7awzEtAFL0w/s72-c/mysqladded.PNG){kind=small}
0 comments: