Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OAuth is a protocol used in order to identify users on another website, without ever exposing the credentials of that site. This can be used to delegate authentication to a trusted provider.

In these implementations, the real back breaker of an implementation is the redirect_uri. If the redirect_uri can spoofed then the user account can be taken over via a stray link that a user clicks on. This is because the redirect_uri contains a token that acts as the authorization token for the website being used.

However, these bypasses are not easy to come by... even if they are found, they usually require a ton of creativity to exploit.

The Facebook redirect URI was fine... Except, it did not validate the file extension of the request. Because of this, a malicious actor can alter the ending (therefore, further into more directories) in order to find a way to redirect this. But, there's more to it though in order to make this exploitable.

The redirect was still only on the Facebook domain! Well, this redirect could be fed into a page that send a postMessage into the * domainThis meant that any page listening! And, this domain was iFrame-able.

So, three individual security issues were used:

1. Lack of proper validation of the redirect_uri
2. Insecure handling of postMessage request in an iFrame
3. Lack of proper headers set (allowed for the page to be embedded inside an iframe

Overall, this article was interesting! It took a three very small issues and turned it into a complete account takeover.