Twitter: XSS on OAuth authorize/authenticate endpoint
2015-09-02T15:24:28
ID H1:87040 Type hackerone Reporter filedescriptor Modified 2015-11-20T18:49:04
Description
Hi,
I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.
Detail
The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.
PoC
Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)
Click on Authorize app
Alert pops up
Note: it also affects api.twitter.com as they both have the same endpoints
Repo step
Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter oauth_callback contains HTML like javascript%3A%2F%2F"><script>alert(document.domain)</script>
Redirect the victim to the authorize/authenticate page with the token
{"hash": "bfd1060cd3f40a47d421c9817f5ae2fcf6afcd708bf46e7f01c3d03370657c76", "bounty": 2520.0, "id": "H1:87040", "lastseen": "2018-04-19T17:34:13", "viewCount": 11, "hashmap": [{"hash": "77544e39518c7fb22c8bed2dc335f202", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cd469d4e30648bcaacd49c0902b32b7e", "key": "description"}, {"hash": "f26111bcae21f0bcb4ec7990f562f67f", "key": "h1reporter"}, {"hash": "69befcf675098e037f254469b9b66fc8", "key": "h1team"}, {"hash": "eb974ee8ab540dde6dac333516347bda", "key": "href"}, {"hash": "cae417c65abf23acb662689626a13639", "key": "modified"}, {"hash": "95a64361963f665b9ceff52b57be8a8c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "b2b3a51a9ae4645278d8f5cb0a00f1f3", "key": "reporter"}, {"hash": "1fb628ba572050ee4e3086c183b462bd", "key": "title"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}], "bulletinFamily": "bugbounty", "bountyState": "resolved", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 5, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2018-04-19T17:34:13"}, "vulnersScore": 5.0}, "type": "hackerone", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "history": [{"bulletin": {"enchantments": {"score": {"value": 6.4, "modified": "2017-08-29T13:11:23"}}, "bounty": 2520.0, "edition": 3, "lastseen": "2017-08-29T13:11:23", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "hashmap": [{"hash": "95a64361963f665b9ceff52b57be8a8c", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eb974ee8ab540dde6dac333516347bda", "key": "href"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "b2b3a51a9ae4645278d8f5cb0a00f1f3", "key": "reporter"}, {"hash": "cd469d4e30648bcaacd49c0902b32b7e", "key": "description"}, {"hash": "cae417c65abf23acb662689626a13639", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b018b7b2873a76d57dac29746c383587", "key": "h1reporter"}, {"hash": "7652492d34b17c23dc2e7da6f1780460", "key": "h1team"}, {"hash": "77544e39518c7fb22c8bed2dc335f202", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "1fb628ba572050ee4e3086c183b462bd", "key": "title"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:87040", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 7, "published": "2015-09-02T15:24:28", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "references": [], "hash": "94dc95bca7cdd1439abd311c495e09f5caffe9cbcb75a490235d26436b841ebc", "reporter": "filedescriptor", "modified": "2015-11-20T18:49:04", "href": "https://hackerone.com/reports/87040"}, "lastseen": "2017-08-29T13:11:23", "edition": 3, "differentElements": ["h1reporter"]}, {"bulletin": {"enchantments": {}, "bounty": 2520.0, "edition": 1, "lastseen": "2017-08-22T11:09:37", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "hashmap": [{"hash": "95a64361963f665b9ceff52b57be8a8c", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f7aceaa174d401f6233dde2c0c8e0a60", "key": "h1reporter"}, {"hash": "eb974ee8ab540dde6dac333516347bda", "key": "href"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "b2b3a51a9ae4645278d8f5cb0a00f1f3", "key": "reporter"}, {"hash": "cd469d4e30648bcaacd49c0902b32b7e", "key": "description"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7652492d34b17c23dc2e7da6f1780460", "key": "h1team"}, {"hash": "77544e39518c7fb22c8bed2dc335f202", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "1fb628ba572050ee4e3086c183b462bd", "key": "title"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:87040", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "url": "/filedescriptor", "disabled": false}, "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 5, "published": "2015-09-02T15:24:28", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "references": [], "hash": "86d49d89a6b630d90255140b0a78ccde90bbdde3c9339748cbff61716750dc98", "reporter": "filedescriptor", "modified": "1970-01-01T00:00:00", "href": "https://hackerone.com/reports/87040"}, "lastseen": "2017-08-22T11:09:37", "edition": 1, "differentElements": ["h1reporter"]}, {"bulletin": {"enchantments": {"score": {"value": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/", "modified": "2018-02-07T16:57:56"}}, "bounty": 2520.0, "edition": 4, "lastseen": "2018-02-07T16:57:56", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "hashmap": [{"hash": "95a64361963f665b9ceff52b57be8a8c", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eb974ee8ab540dde6dac333516347bda", "key": "href"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "b2b3a51a9ae4645278d8f5cb0a00f1f3", "key": "reporter"}, {"hash": "cd469d4e30648bcaacd49c0902b32b7e", "key": "description"}, {"hash": "cae417c65abf23acb662689626a13639", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f26111bcae21f0bcb4ec7990f562f67f", "key": "h1reporter"}, {"hash": "7652492d34b17c23dc2e7da6f1780460", "key": "h1team"}, {"hash": "77544e39518c7fb22c8bed2dc335f202", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "1fb628ba572050ee4e3086c183b462bd", "key": "title"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:87040", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "hackerone_triager": false, "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 7, "published": "2015-09-02T15:24:28", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "references": [], "hash": "c4c7555312002b5383ebbcb532942a757ccb58f8b1b3823b4a2234ea64267a4a", "reporter": "filedescriptor", "modified": "2015-11-20T18:49:04", "href": "https://hackerone.com/reports/87040"}, "lastseen": "2018-02-07T16:57:56", "edition": 4, "differentElements": ["h1team"]}, {"bulletin": {"enchantments": {}, "bounty": 2520.0, "edition": 2, "lastseen": "2017-08-28T23:19:23", "description": "Hi,\r\nI would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.\r\n\r\n##Detail\r\nThe redirection page after authorization/authentication does not sanitize the *oauth_callback* parameter.\r\n\r\n##PoC\r\n1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)\r\n2. Click on Authorize app\r\n3. Alert pops up\r\n\r\nNote: it also affects api.twitter.com as they both have the same endpoints\r\n\r\n##Repo step\r\n1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter *oauth_callback* contains HTML like ```javascript%3A%2F%2F\"><script>alert(document.domain)</script>```\r\n2. Redirect the victim to the authorize/authenticate page with the token", "hashmap": [{"hash": "95a64361963f665b9ceff52b57be8a8c", "key": "published"}, {"hash": "ec83c92514064cbcd1d6878e7bc2471a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eb974ee8ab540dde6dac333516347bda", "key": "href"}, {"hash": "05ada9a7482161942c43eadd60b0440c", "key": "bulletinFamily"}, {"hash": "b2b3a51a9ae4645278d8f5cb0a00f1f3", "key": "reporter"}, {"hash": "cd469d4e30648bcaacd49c0902b32b7e", "key": "description"}, {"hash": "fe3f171f649be7d45d9d11d3f5d45695", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b018b7b2873a76d57dac29746c383587", "key": "h1reporter"}, {"hash": "7652492d34b17c23dc2e7da6f1780460", "key": "h1team"}, {"hash": "77544e39518c7fb22c8bed2dc335f202", "key": "bounty"}, {"hash": "fafdd4fbb3fee9a56e17d43689f48d18", "key": "bountyState"}, {"hash": "1fb628ba572050ee4e3086c183b462bd", "key": "title"}], "bulletinFamily": "bugbounty", "cvss": {"score": 0.0, "vector": "NONE"}, "id": "H1:87040", "type": "hackerone", "bountyState": "resolved", "h1reporter": {"hacker_mediation": false, "username": "filedescriptor", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "disabled": false, "url": "/filedescriptor", "is_me?": false}, "title": "Twitter: XSS on OAuth authorize/authenticate endpoint", "history": [], "objectVersion": "1.3", "cvelist": [], "viewCount": 5, "published": "2015-09-02T15:24:28", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "references": [], "hash": "9170e775470fd494c7d76eebed5a7d0107e7cb885f47ffe90d5ebb768863a6bd", "reporter": "filedescriptor", "modified": "1970-01-01T00:00:00", "href": "https://hackerone.com/reports/87040"}, "lastseen": "2017-08-28T23:19:23", "edition": 2, "differentElements": ["modified"]}], "objectVersion": "1.3", "cvelist": [], "published": "2015-09-02T15:24:28", "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730", "medium": "https://profile-photos.hackerone-user-content.com/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730"}, "url": "https://hackerone.com/twitter", "handle": "twitter"}, "references": [], "reporter": "filedescriptor", "modified": "2015-11-20T18:49:04", "href": "https://hackerone.com/reports/87040"}