Listen to this Post
An Open Redirect vulnerability exists due to insufficient validation of the `return` parameter within the OAuth authentication flow’s login initialization endpoint (/oauth/authorize). An attacker can craft a malicious authentication request link containing a fully-qualified external URL for the `return` parameter. When a victim clicks this link and completes the OAuth consent screen, the application’s backend fails to validate that the `return_to` value is a relative path or a whitelisted domain. Consequently, the server blindly issues a 302 redirect to the attacker-controlled URL specified in the parameter, sending the user and their newly obtained authorization code or session token to a malicious site.
Platform: Authentication Platform
Version: < v2.1.2
Vulnerability: Open Redirect
Severity: Medium
Date: 2023-10-15
Prediction: 2023-10-22
What Undercode Say:
Check current version
curl -s https://api.example.com/version | jq .version
Test for vulnerability (replace DOMAIN)
curl -I “https://TARGET/oauth/authorize?client_id=CLIENT&return=https://evil.com”
Example fix validation (pseudo-code)
if not return_url.startswith(‘/’) or return_url.domain not in ALLOWED_DOMAINS:
raise InvalidRedirectError()
How Exploit:
https://target.com/oauth/authorize?client_id=legit_app&return=https://phishing.com/steal
Protection from this CVE:
Update to v2.1.2
Validate redirect URLs
Use allowlist for domains
Impact:
Phishing attacks
Credential leakage
Reputational damage
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

