I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.
The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.
- Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)
- Click on Authorize app
- Alert pops up
Note: it also affects api.twitter.com as they both have the same endpoints
- Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter oauth_callback contains HTML like
- Redirect the victim to the authorize/authenticate page with the token