(Web-)Insecurity Blog

Turning List-Unsubscribe into an SSRF/XSS Gadget

Tue, 23 Dec 2025 08:00:00 +0200

The List-Unsubscribe SMTP header is standardized but often overlooked during security assessments. It allows email clients to provide an easy way for end-users to unsubscribe from mailing lists.

This post discusses how this header can be abused to perform Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks in certain scenarios. Real-world examples involving Horde Webmail (CVE-2025-68673) and Nextcloud Mail App are provided to illustrate the risks.

Trainings und Workshops

Wed, 10 Dec 2025 00:00:00 +0200

Gerne unterstütze ich Sie als Freelancer bei der Erarbeitung und Durchführung maßgeschneiderter Workshops und Trainings:

Dead Domain Discovery: Discover Expired or Unregistered Domains

Sat, 01 Nov 2025 10:00:00 +0200

Dead Domains are an often overlooked, yet impactful bug class that can lead to significant security vulnerabilities, including Cross-Site Scripting, Information Disclosure, and even Remote Code Execution. Attackers can exploit these vulnerabilities by registering expired or unregistered domains that were previously owned by legitimate entities.

But: How can security researchers and penetration testers efficiently identify these dead domains?

Android App Links autoVerify=false Allowed Hijacking Authentication Flows

Wed, 18 Dec 2024 18:00:00 +0200

Research is a constant process of failure and iteration. However, in most cases, you only see the one-in-a-thousand (successful) attempt. To normalize f*ck ups, and because I believe the behavior we identified in the course of this research is still relevant and interesting, this post is published for educational purposes.

Implementing secure Single-Sign-On (SSO) flows on mobile platforms is a continuos challenge. This post discusses an Android feature which potentially enabled a malicious Android app to hijack arbitrary SSO flows. As the feature existed on platform level (prior Android 12), it affected not only misconfigured apps, but also (web-)applications that follow OAuth best current practice¹.

The vulnerability was reported to Google via the Android and Google Devices Security Reward Program on November, 29th 2024. Shortly after submission, Google highlighted a crucial thing that was missed before: Due to major rework of the App Link behavior, the reported issues do only work on Android versions prior to Android 12.

Sign-in with World ID: XSS and ATO via OIDC Form Post Response Mode

Wed, 19 Jun 2024 00:00:00 +0200

Recently, Tools for Humanity partnered with the German HackerOne Club to run a one-week virtual and in-person Hacking Meetup. In the course of the meetup, a critical vulnerability within the Sign-in with World ID implementation was found, which affected the OpenID Connect form_post Response Mode and could allow malicious actors to take over end-user accounts at third-party applications that utilize the Sign-in with World ID mechanism. The vulnerability was addressed within a few hours after triage.

POST to XSS: Leveraging Pseudo Protocols to Gain JavaScript Evaluation in SSO Flows

Fri, 10 May 2024 12:00:00 +0200

In 2020, a blog post was published here about the real-world security implications of a vague specification of the Redirect URI within the OAuth 2.0 RFC¹. At that time, I focussed on redirect-based flows. This post uncovers additional protocol-level issues that lead to security vulnerabilities in popular and well-audited SSO implementations such as Authentik (CVE-2024-21637), Keycloak (CVE-2023-6134), and FusionAuth. Notably, the vulnerabilities were identified in the context of the OAuth 2.0 Form Post Response Mode² and the SAML POST-Binding³ and therefore are not limited to OAuth 2.0 and OpenID Connect, but also affect SAML-based SSO-Flows.

In this post, we will dive into specification inaccuracies regarding the use of dangerous pseudo-schemes (JavaScript-URIs) in combination with POST-based SSO flows such as the OAuth 2.0 Form Post Response Mode² and the SAML POST-Bindings³, resulting in a protocol-level Cross-Site Scripting (XSS) vulnerability pattern.

SSO Gadgets II: Unauthenticated Client-Side Template Injection to Account Takeover using SSO Gadget Chain

Fri, 30 Jun 2023 00:00:00 +0200

The following unauthenticated Client-Side Template Injection (CSTI) resulting in a Cross-Site Scripting (XSS) vulnerability was discovered in a private bug bounty program. While the vulnerability could only be exploited in case a user had no active session at the application, chained with an SSO gadget, a malicious actor could have still gained access to the user’s account and performed actions on behalf of the user.

SSO Gadgets: Escalate (Self-)XSS to ATO

Sat, 04 Feb 2023 00:00:00 +0200

With the rise of Single-Sign-On (SSO) and especially OAuth 2.0 and OpenID Connect (OIDC), the attack surface of web applications has increased significantly. In this post, I will show how to escalate a Cross-Site Scripting (XSS) vulnerability to an Account Takeover (ATO) by abusing OAuth2/OIDC gadgets and how to prevent such attacks.

Sie wurden von einem Hacker kontaktiert?

Tue, 10 Jan 2023 00:00:00 +0100

Ein “Hacker” hat Sie kontaktiert um vermeintliche Sicherheitslücken zu melden? Das hat wahrscheinlich schon jeder, der eine Webseite betreibt, einmal erlebt. Doch was bedeutet das nun für Sie und Ihr Unternehmen? Welche Schritte sollten Sie kurz- und langfristig ergreifen?

Consulting und Pentests

Mon, 01 Aug 2022 00:00:00 +0200

Gerne unterstütze ich Sie als Freelancer auf dem Weg zu sichereren Anwendungen und besserem Schutz Ihrer Kundendaten.

Personal Access Token Disclosure in Asana Desktop Application

Sat, 18 Jun 2022 00:00:00 +0100

This post gives an insight into a sensitive data exposure vulnerability in Asana for Mac that was rated as P1 and was awarded a bounty.

This was the very first report of that kind for me. Still, I think this type of deployment and build chain issue is more common than one may think.

About

Sat, 18 Dec 2021 00:00:00 +0200

Hi there 👋

My name is Lauritz and I am an IT-Security researcher and penetration tester based in Germany.

This is my personal website where I publish thoughts and advisories about my research.

You can find me on various bug bounty platforms:

Since 2024, I am also a Hackerone Brand Ambassador and I am happy to help you with any questions you might have about bug bounty hunting. Make sure to check out the German Hackerone Club and feel free to contact me via the contact form on this website.

Flickr Account Takeover

Sat, 18 Dec 2021 00:00:00 +0200

This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.

The authentication at identity.flickr.com is implemented using AWS Cognito. By exploiting configuration issues and violations of the OpenID Connect specification, it was possible to takeover any Flickr account without user interaction.

AuRA: Auth. Request Analyser

Wed, 24 Nov 2021 17:00:00 +0200

The Auth. Request Analyser (AuRA) Chromium extension aims to support the analysis of OAuth and OpenID Connect implementations, by offering semi-automated analysis and attack capabilities for Authorization/Authentication Requests.

Custom and flexible OAuth/OIDC SP and IdP implementations

Wed, 24 Nov 2021 17:00:00 +0200

During my master’s thesis, I created custom OpenID Connect Service Provider (SP) and Identity Provider (IdP) implementations for research and Proof-of-Concept purposes. Both implementations use NodeJS. This post outlines their capabilities and how they can be extended.

Insufficient Redirect URI validation: The risk of allowing to dynamically add arbitrary query parameters and fragments to the redirect_uri

Sat, 06 Nov 2021 17:00:00 +0200

In this post, I will discuss an OAuth 2.0 and OpenID Connect 1.0 implementation flaw pattern that was or is present even in well-known implementations from Github, Stackoverflow and Microsoft.

XSS in Large Messenger and Payment App - a Shout Out to Parameter Guessing

Fri, 02 Apr 2021 18:00:00 +0200

This is a post about a Cross-Site-Scripting (XSS) vulnerability that was identified within the web version of a large Chinese messenger and payment platform. The vulnerability could have been missed easily, as the vulnerable parameter was manually guessed.

TikTok Careers Portal Account Takeover

Tue, 15 Dec 2020 00:00:00 +0200

The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.

Real-life OIDC Security (VII): Responsible Disclosure

Thu, 19 Nov 2020 13:00:00 +0200

This is the final post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, Responsible Disclosure processes with five vendors and maintainers of popular OpenID Connect implementations are outlined. We reported vulnerabilities and security issues in Amazon Cognito, Bitbucket Server, GitLab, Keycloak, and Salesforce.

Real-life OIDC Security (VI): Reusable state leads to DoS Amplification

Tue, 17 Nov 2020 18:00:00 +0200

This is the sixth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the missing requirement of the state value within the OpenID Connect Core specification leads to real-life security issues. Namely, the Denial-of-Service Amplification attack is introduced with CVE-2020-14302 (Keycloak) as an example.

Real-life OIDC Security (V): Redirect URI

Thu, 12 Nov 2020 17:00:00 +0200

This is the fifth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the vague specification of the Redirect URI within the OpenID Connect Core specification leads to real-life security issues. Finally, we show a real-world example of such an issue with CVE-2020-10776 (Keycloak) as an example.

Real-life OIDC Security (IV): Server-Side-Request-Forgery

Tue, 10 Nov 2020 20:00:00 +0200

This is the fourth post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, SSRF vulnerabilities that were discovered in popular OIDC implementations (Keycloak (CVE-2020-10770) and Amazon Cognito) are explained in detail.

Real-life OIDC Security (III): CRLF Injections

Thu, 05 Nov 2020 17:00:00 +0200

This is the third post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, a more common CRLF injection in the context of OIDC is discussed in detail. We present issues discovered in GitLab (Severity: High - Critical) and Bitbucket Server (Severity: Informative - Low).

Real-life OIDC Security (II): Login Confusion

Mon, 02 Nov 2020 17:00:00 +0200

This is the second post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, the novel Login Confusion attack is described in detail. We use Bitbucket Server as an example.

CVE-2020-13294

Sun, 01 Nov 2020 11:00:00 +0200

The following (slightly modified) advisory was sent to GitLab using Hackerone on 19th June 2020.

Real-life OIDC Security (I): Overview

Fri, 30 Oct 2020 18:21:19 +0200

This is the first post of a series on Single Sign-On and OpenID Connect 1.0 security. This post presents a high-level overview of observed issue patterns during my research on real-life OIDC security and proposes additions to the specification’s security considerations.

macOS Catalina: PostScript evaluation to Remote Denial-of-Service

Sun, 11 Oct 2020 11:00:00 +0200

The following (slightly modified) advisory regarding macOS 10.15.6. (Catalina) was sent to Apple Product Security on 25th August 2020.

Hello World

Thu, 08 Oct 2020 22:55:45 +0200

This is the very first actual “blog post” on this site. As the main structure might indicate, future content will be categorized either as dedicated advisory on an observed vulnerability or as blog post on more high-level observations.

Privacy Policy

Wed, 25 Sep 2019 13:51:22 +0200

When I set up this blog, privacy and security were key reasons for choosing a static site generator, namely the awesome Hugo framework: https://gohugo.io/.

Thus, https://security.lauritz-holtmann.de does not set cookies nor aims to track you on application level.

Hosting & Logging (Hetzner)

This website is hosted by Hetzner Online GmbH.
The web server configuration avoids creating unnecessary logs — no access or error logs are intentionally stored by me.

However, Hetzner automatically processes certain anonymized technical data for operational and security reasons. This may include:

CVE-2019-11832

Thu, 09 May 2019 13:51:22 +0200

The following (slightly modified) advisory was sent to the TYPO3 security team (security@typo3.org) on 28th January 2019.

Impressum

Thu, 09 May 2019 13:51:22 +0200

Angaben gemäß § 5 TMG

Lauritz Holtmann
Südring 25
44787 Bochum

Umsatzsteuer-Identifikationsnummer

USt-IdNr: DE453537805

Vertreten durch:

Lauritz Holtmann

Kontakt:

E-Mail: security@lauritz-holtmann.de

Haftungsausschluss:

Haftung für Inhalte

Die Inhalte unserer Seiten wurden mit größter Sorgfalt erstellt. Für die Richtigkeit, Vollständigkeit und Aktualität der Inhalte können wir jedoch keine Gewähr übernehmen. Als Diensteanbieter sind wir gemäß § 7 Abs.1 TMG für eigene Inhalte auf diesen Seiten nach den allgemeinen Gesetzen verantwortlich. Nach §§ 8 bis 10 TMG sind wir als Diensteanbieter jedoch nicht verpflichtet, übermittelte oder gespeicherte fremde Informationen zu überwachen oder nach Umständen zu forschen, die auf eine rechtswidrige Tätigkeit hinweisen. Verpflichtungen zur Entfernung oder Sperrung der Nutzung von Informationen nach den allgemeinen Gesetzen bleiben hiervon unberührt. Eine diesbezügliche Haftung ist jedoch erst ab dem Zeitpunkt der Kenntnis einer konkreten Rechtsverletzung möglich. Bei Bekanntwerden von entsprechenden Rechtsverletzungen werden wir diese Inhalte umgehend entfernen.

Haftung für Links

Unser Angebot enthält Links zu externen Webseiten Dritter, auf deren Inhalte wir keinen Einfluss haben. Deshalb können wir für diese fremden Inhalte auch keine Gewähr übernehmen. Für die Inhalte der verlinkten Seiten ist stets der jeweilige Anbieter oder Betreiber der Seiten verantwortlich. Die verlinkten Seiten wurden zum Zeitpunkt der Verlinkung auf mögliche Rechtsverstöße überprüft. Rechtswidrige Inhalte waren zum Zeitpunkt der Verlinkung nicht erkennbar. Eine permanente inhaltliche Kontrolle der verlinkten Seiten ist jedoch ohne konkrete Anhaltspunkte einer Rechtsverletzung nicht zumutbar. Bei Bekanntwerden von Rechtsverletzungen werden wir derartige Links umgehend entfernen.

Urheberrecht

Die durch die Seitenbetreiber erstellten Inhalte und Werke auf diesen Seiten unterliegen dem deutschen Urheberrecht. Die Vervielfältigung, Bearbeitung, Verbreitung und jede Art der Verwertung außerhalb der Grenzen des Urheberrechtes bedürfen der schriftlichen Zustimmung des jeweiligen Autors bzw. Erstellers. Downloads und Kopien dieser Seite sind nur für den privaten, nicht kommerziellen Gebrauch gestattet. Soweit die Inhalte auf dieser Seite nicht vom Betreiber erstellt wurden, werden die Urheberrechte Dritter beachtet. Insbesondere werden Inhalte Dritter als solche gekennzeichnet. Sollten Sie trotzdem auf eine Urheberrechtsverletzung aufmerksam werden, bitten wir um einen entsprechenden Hinweis. Bei Bekanntwerden von Rechtsverletzungen werden wir derartige Inhalte umgehend entfernen.