Twitter: XSS on OAuth authorize/authenticate endpoint
2015-09-02T15:24:28
ID H1:87040 Type hackerone Reporter filedescriptor Modified 2015-11-20T18:49:04
Description
Hi,
I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.
Detail
The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.
PoC
Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)
Click on Authorize app
Alert pops up
Note: it also affects api.twitter.com as they both have the same endpoints
Repo step
Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter oauth_callback contains HTML like javascript%3A%2F%2F"><script>alert(document.domain)</script>
Redirect the victim to the authorize/authenticate page with the token
{"id": "H1:87040", "hash": "5083dd82ee31121d2c2090c0afaaf8ac", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "2015-11-20T18:49:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:13", "history": [{"bulletin": {"id": "H1:87040", "hash": "94dc95bca7cdd1439abd311c495e09f5caffe9cbcb75a490235d26436b841ebc", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "2015-11-20T18:49:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2017-08-29T13:11:23", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 6.4, "modified": "2017-08-29T13:11:23"}}, "objectVersion": "1.4", "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}}, "lastseen": "2017-08-29T13:11:23", "edition": 3, "differentElements": ["h1reporter"]}, {"bulletin": {"id": "H1:87040", "hash": "86d49d89a6b630d90255140b0a78ccde90bbdde3c9339748cbff61716750dc98", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2017-08-22T11:09:37", "history": [], "viewCount": 5, "enchantments": {}, "objectVersion": "1.4", "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/filedescriptor", "disabled": false}}, "lastseen": "2017-08-22T11:09:37", "edition": 1, "differentElements": ["h1reporter"]}, {"bulletin": {"id": "H1:87040", "hash": "c4c7555312002b5383ebbcb532942a757ccb58f8b1b3823b4a2234ea64267a4a", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "2015-11-20T18:49:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2018-02-07T16:57:56", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/", "modified": "2018-02-07T16:57:56"}}, "objectVersion": "1.4", "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}}, "lastseen": "2018-02-07T16:57:56", "edition": 4, "differentElements": ["h1team"]}, {"bulletin": {"id": "H1:87040", "hash": "9170e775470fd494c7d76eebed5a7d0107e7cb885f47ffe90d5ebb768863a6bd", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2017-08-28T23:19:23", "history": [], "viewCount": 5, "enchantments": {}, "objectVersion": "1.4", "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}}, "lastseen": "2017-08-28T23:19:23", "edition": 2, "differentElements": ["modified"]}], "viewCount": 23, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-04-19T17:34:13"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:13"}, "vulnersScore": 0.1}, "objectVersion": "1.4", "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "_object_type": "robots.models.hackerone.HackerOneBulletin", "_object_types": ["robots.models.hackerone.HackerOneBulletin", "robots.models.base.Bulletin"]}
