Self Open Redirection as a Gadget

Introduction #

During a recent bug bounty program, I discovered a gadget that can be exploited in authentication flows involving redirects with sensitive tokens, like OAuth 2.0. I haven’t personally seen this specific gadet mentioned in any articles, so while it may already be a known technique, I decided to write this blog post.

Redirection chaining for Authorization Token Theft #

In OAuth 2.0, failing to properly validation the redirect URI can lead to serious security issue where the authorization code can be compromised.

It’s uncommon to have zero validation for main apps in bug bounty programs, but there are cases where arbitrary values can be specified for paths or subdomains.

In such cases, it is possible to chain another server-side open redirect in permitted paths or subdomains, which can lead to token theft.

(Just to note, there are certain conditions: the token must be placed in the URL fragment during the redirect chain.)

Referer based Open Redirection #

I was at the following condition:

  • If already authenticated, accessing https://accounts.example.com/auth?redirect_url=https://accounts.example.com/token results in a 302 redirection to https://accounts.example.com/token?token=aaaaaaa. This token can be exchanged for a session tied to this token.
  • Arbitrary paths can be specified under accounts.example.com in the redirect_url.
  • The %23 specified in the redirect_url will be decoded, allowing a fragment to be added to the Location header.

So, I wanted a server-side open redirect in accounts.example.com. After some investigation, I found that if there is an authentication error due to the absence of a code params in https://accounts.example.com/google/link which is the endpoint for linking google account, it redirects with a 302 status to the value specified in the Referer header.

Generally, Referer based open redirect are considered either “self” open redirect or meaningless open redirects since they require passing through the attacker’s site at least once.

However, I realized that when integrate into such a exploit chain, Referer based open redirect can be valuable.

Below is a diagram.

Edit Edit this page