Posts

Showing posts from October, 2021

What can I do with Open Redirect with OAuth?

Image
Open redirect, what can we do with it? I will share two bugs I found and could make it high with open redirect issue/feature XD. let's say our target's name is (target.com), and the application's OAuth service is (oauthtarget.com). let's clear something there are two types of open redirect in OAuth, first one in the OAuth Service it self and second one is the company which will use this OAuth service, let's take the following URL as an example http://oauthtarget.com/oauth?redirect_uri=http://companyX.com/callback&client=NA If you open this (in real use XD) you will be asked to accept or reject the access from CompanyX to your information in the owner application of OAuth Service, when you accept the access the application will redirect you to the URL from the (redirect_uri) parameter but it will add an Access Token (Code), CompanyX will use this Token to access your informaiton, so if an attacker could steal this Code he can access the informaiton of this user. ...

Bypassing CSP is not enough to gain your XSS

Image
Is it enough to bypass CSP to gain XSS? A friend ask me to help him with a XSS to bypass the CSP, first look on the CSP its okay we can bypass it using a JSONP in domains that the target trust like (google.com, cdnjs.cloudflare.com) and this bypass the CSP is that easy? let's see. The JSONP in (google.com) which we will use in our POC will be in the following screenshot and our payload will be (<script src='https://www.google.com/complete/search?client=chrome&q=XSS&callback=alert'></script>) But we faced another issue our payload is reflected in a JSON page but with Content-Type is HTML so there is an issue the Back slashes, can you know the issue from the screenshot? if you didn't know the issue, you can see the following screenshot the backslash will be a slash and google can't hamdle double slashes and give an error, so how can we solve this? I tried to use iframe tag with src attribute but the CSP is blocking me, but I could bypass it using (...

Just a DOM-Based XSS

Image
Hey guys, let's talk about a DOM-Based XSS that I found yesterday. while searching on my target I found a subdomain with a login form and it depends on a JS code to log in and redirect the user after the a valid login. let's start debugging, first function called (submitCredentials) and it used to pass the username and password to another function Second function called (fetchJwt) which check the username and password with an endpoint and if it true and return the JWT for the session it call another function (redirectOnSuccess)  There is a variable we will use Third function is getting the value from a paramter called (continue) and redirect the user to it but it use another function (getUrlParameter) and save the value to variable (redirectParam) and redirect the user to it Fourth function is checking the full URL and parameters using simple RegEx which return values the above regex will an array with two values like ['?continue=http://google.com','http://google.co...