Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability

Severity: High

Complexity: Easy

Weakness: partial 0Auth redirect_uri path

Step’s to Reproduce:

  1. Site have Third Party integration tab at They have one-drive integration .
  2. When we Click Activate on Onedrive integration.
  3. We Get Redirected to : wl.skydrive wl.skydrive_update wl.offline_access

From Above URL:


4. So i started playing with redirect_uri=

I Found that redirect_uri is Accepting Anything After


5. This Confirm’s that they haven’t used Strict Path in redirect_uri Allowing anything after redirect_uri=* wl.skydrive wl.skydrive_update wl.offline_access

6. So Now Possible way’s to Exploit this to get Access token is by Finding Any Open Redirect Vulnerability. So I Keep Looking for Any OpenRedirect Endpoints in to Exploit but no luck.

7. Next day Started reading their API Documentation .

And I Came Across :

GET /api/testCallback?callback_url=

which they used for Checking API Callback Request’s on your server.

8. So Finally We Got CSRF Vulnerability Which Make’s GET Request to Attacker’s Server.

&redirect_uri= /api/testCallback?callback_url=

Finally: /api/testCallback?callback_url=

~ Success ~

exact path matches should be made instead of partial matches on redirect_uri .

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store