Stealing 0Auth Token (MITM)

Arbaz Hussain
Sep 1, 2017 · 2 min read

Severity: Low

Complexity: Medium

Weakness: partial 0Auth redirect_uri path


  • While Testing one of the Target on Hackerone ,I’m gonna call it as REDACTED.COM

Following Test Case Tried for OAuth redirect_uri :

https://www.thirdparty.com/oauth?client_id=35346545675475754&display=popup&redirect_uri=https://connect.REDACTED.com/auth/thirdparty/callback&response_type=code
  • Only Modified Thing’s Accepted at thridParty Site OAuth:
  1. Scheme Protocols
  2. Pre Subdomain Under *.connect.REDACTED.com

redirect_uri=<ANYTHING>://<ANYTHING>.connect.REDACTED.com


  • Possibilites Here:
  1. I Need to find any Valid Subdomain under https://*.connect.REDACTED.COM to see what i can do further for exploitation.
  2. So I Started Bruteforcing for any available Pre-Subdomain’s under connect subdomain and Came across

https://pages.connect.REDACTED.COM which is Nothing but hosted with Static Page .

~Tried Bruteforcing for Directories or Any other Open Redirect Possibilities But Failed~

  • Then i checked the Header For pages.connect.REDACTED.com and found HSTS Missing .

For Those Who Don’t Know what HSTS :

  • It Redirect from HTTP to HTTPS on the same host first , before making valid Request to HOST to ensure not to leak Anything in HTTP.
  • Final Exploit :
https://www.thirdparty.com/oauth?client_id=35346545675415754&display=popup&redirect_uri=http://pages.connect.REDACTED.com/&response_type=code
  • End up Making Request to :
http://pages.connect.REDACTED.com/?code=XXXXXXXXXXXXXXXXXX
  • We have Leak the Token to HTTP on Invalid Path to keep the Token Usable.

  • Since Most of the Program Includes Man In Middle Attacks as OUT OF SCOPE.
  • They have Fixed the Redirect_uri Path to Strict Path , And Reopened my Report and Marked it as Resolved for Detailed Explanation .

  • How to Avoid This Type of Bugs Situation:
  1. Simply by Enforing HSTS Header :
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • Here includeSubDomains; Tag will instruct to Serve all subdomains over HTTPS.
  • By Setting Strict Redirect_uri in OAuth Callbacks.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store