• Change OAuth Target URL & Domain Description [ UI redress attack ]

    To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability .

    Status: Fixed

    OAuth is cool and simple to understand developer can integrate with Google 's OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

    Vulnerable URL :
    Code:
    https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com
    On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.

    As Shown in the following Image :



    Change OAuth Domain & Description
    POC : < i f r a m e s r c = "https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com" width="600" height="600"> // Not actual POC

    Header Information :

    As you can see missing Header information in the below Header Information

    Host: accounts.google.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 115
    Connection: keep-alive

    Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..

    - [S]
    This article was originally published in forum thread: Change OAuth Target URL & Domain Description [ UI redress attack ] started by [s] View original post
    Comments 1 Comment
    1. lochuyen332798's Avatar
      lochuyen332798 -
      Up phụ bạn hiền. rảnh phụ měnh chữ ký nha. thanks
  • G4H Facebook

  • G4H Twitter