The following unauthenticated Client-Side Template Injection (CSTI) resulting in a Cross-Site Scripting (XSS) vulnerability was discovered in a private bug bounty program. While the vulnerability could only be exploited in case a user had no active session at the application, chained with an SSO gadget, a malicious actor could have still gained access to the user’s account and performed actions on behalf of the user.

With the rise of Single-Sign-On (SSO) and especially OAuth 2.0 and OpenID Connect (OIDC), the attack surface of web applications has increased significantly. In this post, I will show how to escalate a Cross-Site Scripting (XSS) vulnerability to an Account Takeover (ATO) by abusing OAuth2/OIDC gadgets and how to prevent such attacks.

This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.

The authentication at identity.flickr.com is implemented using AWS Cognito. By exploiting configuration issues and violations of the OpenID Connect specification, it was possible to takeover any Flickr account without user interaction.

The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.

This is the final post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, Responsible Disclosure processes with five vendors and maintainers of popular OpenID Connect implementations are outlined. We reported vulnerabilities and security issues in Amazon Cognito, Bitbucket Server, GitLab, Keycloak, and Salesforce.

This is the sixth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the missing requirement of the state value within the OpenID Connect Core specification leads to real-life security issues. Namely, the Denial-of-Service Amplification attack is introduced with CVE-2020-14302 (Keycloak) as an example.

This is the fifth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the vague specification of the Redirect URI within the OpenID Connect Core specification leads to real-life security issues. Finally, we show a real-world example of such an issue with CVE-2020-10776 (Keycloak) as an example.

This is the fourth post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, SSRF vulnerabilities that were discovered in popular OIDC implementations (Keycloak (CVE-2020-10770) and Amazon Cognito) are explained in detail.

This is the third post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, a more common CRLF injection in the context of OIDC is discussed in detail. We present issues discovered in GitLab (Severity: High - Critical) and Bitbucket Server (Severity: Informative - Low).

This is the second post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, the novel Login Confusion attack is described in detail. We use Bitbucket Server as an example.

The following (slightly modified) advisory was sent to GitLab using Hackerone on 19th June 2020.

This is the first post of a series on Single Sign-On and OpenID Connect 1.0 security. This post presents a high-level overview of observed issue patterns during my research on real-life OIDC security and proposes additions to the specification’s security considerations.