Twitter: XSS on OAuth authorize/authenticate endpoint
2015-09-02T15:24:28
ID H1:87040 Type hackerone Reporter filedescriptor Modified 2015-11-20T18:49:04
Description
Hi,
I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.
Detail
The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.
PoC
Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)
Click on Authorize app
Alert pops up
Note: it also affects api.twitter.com as they both have the same endpoints
Repo step
Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter oauth_callback contains HTML like javascript%3A%2F%2F"><script>alert(document.domain)</script>
Redirect the victim to the authorize/authenticate page with the token
{"id": "H1:87040", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "published": "2015-09-02T15:24:28", "modified": "2015-11-20T18:49:04", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/87040", "reporter": "filedescriptor", "references": [], "cvelist": [], "lastseen": "2018-04-19T17:34:13", "viewCount": 28, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-04-19T17:34:13", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:13", "rev": 2}, "vulnersScore": 0.1}, "bounty": 2520.0, "bountyState": "resolved", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "immutableFields": [], "cvss2": {}, "cvss3": {}}
