Full Account Takeover via Referer Header (OAuth token Steal, Open Redirect Vulnerability Chaining)

Hello everyone, This is M.Asim Shahzad and this is my third write-up. This time I am gonna share one of my interesting finding that how I was able to steal OAuth token via Open Redirect Vulnerability Chaining and earned $1,200 Bounty. Firstly, I would like to define that what is referer header? , what is an open redirect? , what is an OAuth Tokens? and then I will define that How we can chain open redirect with other vulnerabilities to get the sensitive tokens?

What is Referrer Header?

The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching.

What is Open Redirect?

An open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs. The open redirect is a failure in that process that makes it possible for attackers to steer users to malicious third-party websites.

What is an OAuth Tokens?

OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced “oh-auth,” allows an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.

We all know the recent breach of Facebook, the breach occurred due to the leakage of access tokens.

Session tokens / Access Tokens or OAuth token are highly sensitive data because if an attacker gets this information then he can be logged in your account without knowing your account password.

How I was able to steal the OAuth token?

I was testing a web application on HackerOne, Let’s assume “Redacted” because the targetted application is private.

Usually, this vulnerability found on those applications who use third-party login methods like login with facebook, google, twitter etc. Redacted also have a login with facebook, google, twitter functionality. When I was trying to log in my account and then I checked my BURP HTTP History, I got an endpoint containing OAuth token and there was another parameter called “redirect_uri” for redirecting.

Like this:

https://redacted.com/?oauth=gfhju76554678ggfr576898gfhj&redirect_uri=https://test.com

Above endpoint contains OAuth token and a redirect URL parameter, I thought that if I successfully bypassed the parameter “redirect_uri” and Redirect user to my server then I can steal the OAuth Token via referer header because as I describe the referer header above that “The Referer request header contains the address of the previous web page” then if victim will redirect to my server then the referrer header contains the address of the previous web page means referrer header contains OAuth Token :) Because OAuth token was transmitting via GET method.

I try to bypass Open-redirect filter, I simply start with by injecting my server URL but no luck, I start intruder and try 100s of Open-Redirect Payloads.

Here you can find the payloads of different attacks:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect

Intruder started and after 300 attempts I got a 301 response from targetted server means to redirect filter has been bypassed and then I got the OAuth token via referrer header after redirecting victim on my server.

Earned $1,200 bounty :D :D :D

Thanks a lot for reading my report :)