Forwarded from PT SWARM
Account hijacking using "dirty dancing" in sign-in OAuth-flows
👤 by Frans Rosén
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
📝 Contents:
• Background
• Current state and assumptions about OAuth credential leakage
• Explanation of different OAuth-dances
• Response modes
• A theory: stealing tokens through postMessage
• It took a lot of time to get here
• Non-happy paths in the OAuth-dance
• Break state intentionally
• Response-type/Response-mode switching
• Redirect-uri case shifting
• Redirect-uri path appending
• Redirect-uri parameter appending
• Redirect-uri leftovers or misconfigurations
• I ended up on a non-happy path. Now what?
• Here be more time
• URL-leaking gadgets
• Other ideas for leaking URLs
• A page on a domain that routes any postMessage to its opener
• Conclusion
• How can we fix this?
• How to reduce the risk
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
👤 by Frans Rosén
Combining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
📝 Contents:
• Background
• Current state and assumptions about OAuth credential leakage
• Explanation of different OAuth-dances
• Response modes
• A theory: stealing tokens through postMessage
• It took a lot of time to get here
• Non-happy paths in the OAuth-dance
• Break state intentionally
• Response-type/Response-mode switching
• Redirect-uri case shifting
• Redirect-uri path appending
• Redirect-uri parameter appending
• Redirect-uri leftovers or misconfigurations
• I ended up on a non-happy path. Now what?
• Here be more time
• URL-leaking gadgets
• Other ideas for leaking URLs
• A page on a domain that routes any postMessage to its opener
• Conclusion
• How can we fix this?
• How to reduce the risk
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
👍3
Forwarded from SHADOW:Group
🪙 Блокчейн-сеть защищена! Но не приложения и их интеграции
Сеть блокчейна действительно трудно взломать, поскольку блокчейн имеет защищенную сеть для создания децентрализованных приложений, однако архитектура приложения, исходный код, рабочий процесс, логика и конфигурации всегда открыты для атак.
Читать статью
#web3
Сеть блокчейна действительно трудно взломать, поскольку блокчейн имеет защищенную сеть для создания децентрализованных приложений, однако архитектура приложения, исходный код, рабочий процесс, логика и конфигурации всегда открыты для атак.
Читать статью
#web3
Telegraph
Блокчейн-сеть защищена! Но не приложения и их интеграции
Оригинал на английском тут. Обзор Во время оценки безопасности веб-приложения на основе блокчейна было замечено, что некоторые функции уязвимы к передаче ETH без проверки подлинности из кошелька администратора в кошелек злоумышленника. Веб-приложение представляло…
👍3
Forwarded from The Bug Bounty Hunter
Groovy Template Engine Exploitation – Notes from a real case scenario https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/
hn security
Groovy Template Engine Exploitation - Notes from a real case scenario - hn security
Java web applications are far from […]
👍1
Caching the Un-cacheables - Abusing URL Parser Confusions (Web Cache Poisoning Technique)
https://nokline.github.io/bugbounty/2022/09/02/Glassdoor-Cache-Poisoning.html
https://nokline.github.io/bugbounty/2022/09/02/Glassdoor-Cache-Poisoning.html
👍1