Twitter: XSS on OAuth authorize/authenticate endpoint

ID H1:87040
Type hackerone
Reporter filedescriptor
Modified 2015-11-20T18:49:04


Hi, I would like to report an issue where certain endpoints on and is vulnerable to XSS.


The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.


  1. Go to (Please use IE or something that hasn't implemented CSP)
  2. Click on Authorize app
  3. Alert pops up

Note: it also affects as they both have the same endpoints

Repo step

  1. Obtain the request token ( where parameter oauth_callback contains HTML like javascript%3A%2F%2F"><script>alert(document.domain)</script>
  2. Redirect the victim to the authorize/authenticate page with the token