Slack: Slack OAuth2 "redirect_uri" Bypass

ID H1:2575
Type hackerone
Reporter prakharprasad
Modified 2014-05-29T22:15:44



I've found a way to circumvent redirect_uri restrictions imposed by the web application using domain-suffix/subdomain technique.

I created an OAuth application under That has OAuth redirect_uri configured to

So technically

Allowed Request shall be :

Denied Request shall be:

Surprisingly If I point the redirect_uri to (see .mx suffix) the endpoint will be accepted, infact endpoint like will be accepted too. The server doesn't block these suffix attacks.

So attackers can craft an OAuth endpoint like below to circumvent redirect_uri restrictions :

Thanks! Prakhar Prasad