WTF!!! It was a CTF, it is a basic oauth open redirect case 😂... That's why old bug hunter earn money, they are all in private program with easy bug like this for $20k... They gave him $6k for testing their patch lol
watch the whole video before commenting... it wasn't a basic oauth code steal through a redirect - he was able to add a new oauth flow that then allowed him to steal the code. I agree about the older hunters having it way easier tho, a bug like this wouldn't last two hours on a public program
but in this case you got the code for the specific application that you've created (client_id=6) when you will take the acceess token and use it in the other app (client_id=1 ) the oauth service should not allow you
This is definitely something new im going to be looking for. I am wondering if you could go over prototype pollution, i found one in a vdp but its not really able to execute anything too im not sure if its worth reporting
i have concern about training what we are getting we do practice in dvwa and some other labs we successfully bypass but when we go to the real live testing nothing is working what we learned in training online courses ?
This is more of an open redirect, than an account take over. You would need to exchange the code for a token (know the secret) in order to get an access token for the resourse of a user. But hey 20k is 20k
No, in this example Nagli created a new client on the OAuth server, when creating the new client he was given a secret to be used for authenticating the token.
So VDP don't really pay? I was invited and I submitted bugs, but they always close it saying it doesn't qualify, first it's not out of scope i show them the impact by using document.cookie to return sessions, they said no, it's within an email sandbox there it doesn't qualify, i bye pass the sandbox and they still close it without any further explanation. Do VDP really behave like that??
In this example we are creating a new client and then getting the victim's code for that client. The code generated for one client shouldn't work for another. So I feel like account takeover wouldn't work in this case.
It shouldn't but it did, that's the issue, the OAuth site allowed creation of new clients which could work with any users. Yes you'd have to get the user to click a link but then you could exfil the token and create your own session as that user.
I agree. the client_id=7 code is not going to work on client_id=1. Since the open redirect he has shown is for client_id 7 where he has an option to set the redirect URL. So I do see there is an issue but this is not one click ATO for the client_id 1 since that redirect URL was very secure. The issue here is you can setup a new client without even having the account as shown in the burp. Also open direct in general for the authorization server since I can setup a URL and if user click it can redirect to attacker controlled site.
Amazing content, learnt quite a bit and I don't even grasp the fundamental concepts too much, please keep doing the series Naham!
clearly a master at work. please @NahamSec be doing this frequently.
Thanks for the amazing video! I really hope you continue this series.
That's the plan!
Nice! Thanks for the content, Nahamsec!
WTF!!! It was a CTF, it is a basic oauth open redirect case 😂... That's why old bug hunter earn money, they are all in private program with easy bug like this for $20k... They gave him $6k for testing their patch lol
watch the whole video before commenting... it wasn't a basic oauth code steal through a redirect - he was able to add a new oauth flow that then allowed him to steal the code. I agree about the older hunters having it way easier tho, a bug like this wouldn't last two hours on a public program
That is even more simple than the open redirect case... It was to resume it LMAO
It was on a public program and the scope was public for 5 years
@@galnagli6221 yeah, lots of people don't check easy stuff cuz they figure theres no way its still there because everyone has already checked it.
but in this case you got the code for the specific application that you've created (client_id=6) when you will take the acceess token and use it in the other app (client_id=1 ) the oauth service should not allow you
yeah, I don't get it. There'd have to be another vulnerability that doesn't correctly match codes
Thank you for inviting this incredible man❤
Interesting , looks like a scenario of oauth implicit grant type. Thanks for the CTF and the video both.
This is awesome!! amazing content
This is definitely something new im going to be looking for. I am wondering if you could go over prototype pollution, i found one in a vdp but its not really able to execute anything too im not sure if its worth reporting
i have concern about training what we are getting we do practice in dvwa and some other labs we successfully bypass but when we go to the real live testing nothing is working what we learned in training online courses ?
this is entirely true. Most real world websites are battle hardened targets, I suppose more practice and dedication would do.
yes we have to do there is no other option thanks@@jaywandery9269
We love such content ,,, thanks Ben & Nagli
what is 5wp how do I sign up for that ? where to look ? could anyone help me ?
Can someone explain me why is it critical and not high ? Its auth bypass that require user interaction right ?
Because it is nagli and live hacking event... I reported the same and wasnt paid that amount (far from it)
This is more of an open redirect, than an account take over. You would need to exchange the code for a token (know the secret) in order to get an access token for the resourse of a user.
But hey 20k is 20k
No, in this example Nagli created a new client on the OAuth server, when creating the new client he was given a secret to be used for authenticating the token.
@@BuildHackSecure but what is the account take over caused by, which is what is communicated in the video?
Early crew. Shalom.
thanks man ❤❤
thanks Ben & Nagli😍😍
🐐
מעניין מאיפה המבטא שלו🧐
So VDP don't really pay? I was invited and I submitted bugs, but they always close it saying it doesn't qualify, first it's not out of scope i show them the impact by using document.cookie to return sessions, they said no, it's within an email sandbox there it doesn't qualify, i bye pass the sandbox and they still close it without any further explanation. Do VDP really behave like that??
In this example we are creating a new client and then getting the victim's code for that client. The code generated for one client shouldn't work for another. So I feel like account takeover wouldn't work in this case.
It shouldn't but it did, that's the issue, the OAuth site allowed creation of new clients which could work with any users. Yes you'd have to get the user to click a link but then you could exfil the token and create your own session as that user.
I agree. the client_id=7 code is not going to work on client_id=1. Since the open redirect he has shown is for client_id 7 where he has an option to set the redirect URL. So I do see there is an issue but this is not one click ATO for the client_id 1 since that redirect URL was very secure. The issue here is you can setup a new client without even having the account as shown in the burp. Also open direct in general for the authorization server since I can setup a URL and if user click it can redirect to attacker controlled site.
100% able espaniol 😏
Keep it up
Can someone translate into English 😖 I can barely understand every other word this guy is saying... Maybe it's time to learn French or something
He's speaking English
@@ٴٴٴٴۥۥٴٴٴٴۥۥٴٴٴٴۥۥٴٴٴٴۥۥٴٴٴٴٴٴ You don't say...
lol, he spoke English in his own accent, use subs..
its isreali accent xd
Is it real 20,000 Bounty OAuth
First
probably he hacked this site using his apple vison pro😅
Good evening sir
👍🏻