Stealing 0Auth Token (MITM)


Severity: Low

Complexity: Medium

Weakness: partial 0Auth redirect_uri path


  • While Testing one of the Target on Hackerone ,I’m gonna call it as REDACTED.COM

Following Test Case Tried for OAuth redirect_uri :

https://www.thirdparty.com/oauth?client_id=35346545675475754&display=popup&redirect_uri=https://connect.REDACTED.com/auth/thirdparty/callback&response_type=code
  • Only Modified Thing’s Accepted at thridParty Site OAuth:
  1. Scheme Protocols
  2. Pre Subdomain Under *.connect.REDACTED.com

redirect_uri=<ANYTHING>://<ANYTHING>.connect.REDACTED.com


  • Possibilites Here:
  1. I Need to find any Valid Subdomain under https://*.connect.REDACTED.COM to see what i can do further for exploitation.
  2. So I Started Bruteforcing for any available Pre-Subdomain’s under connect subdomain and Came across

https://pages.connect.REDACTED.COM which is Nothing but hosted with Static Page .

~Tried Bruteforcing for Directories or Any other Open Redirect Possibilities But Failed~

  • Then i checked the Header For pages.connect.REDACTED.com and found HSTS Missing .

For Those Who Don’t Know what HSTS :

  • It Redirect from HTTP to HTTPS on the same host first , before making valid Request to HOST to ensure not to leak Anything in HTTP.
  • Final Exploit :
https://www.thirdparty.com/oauth?client_id=35346545675415754&display=popup&redirect_uri=http://pages.connect.REDACTED.com/&response_type=code
  • End up Making Request to :
http://pages.connect.REDACTED.com/?code=XXXXXXXXXXXXXXXXXX
  • We have Leak the Token to HTTP on Invalid Path to keep the Token Usable.

  • Since Most of the Program Includes Man In Middle Attacks as OUT OF SCOPE.
  • They have Fixed the Redirect_uri Path to Strict Path , And Reopened my Report and Marked it as Resolved for Detailed Explanation .

  • How to Avoid This Type of Bugs Situation:
  1. Simply by Enforing HSTS Header :
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • Here includeSubDomains; Tag will instruct to Serve all subdomains over HTTPS.
  • By Setting Strict Redirect_uri in OAuth Callbacks.