Lab 348 — Connectify — IDN Homograph OAuth Open Redirect

hackadvisor

Task: OAuth gateway platform with redirect_uri validation that checks protocol and TLD format but does not normalize Unicode characters. Solution: register OAuth app with IDN homograph redirect_uri (Cyrillic і U+0456 instead of Latin i), trick admin bot into authorizing, steal auth code from Authorization Log, exchange for token, access admin secrets.

unicode nodejs express admin_bot punycode open_redirect oauth idn_homograph redirect_uri_bypass authorization_code_theft

token_exchangeidn_homograph_attackoauth_redirect_uri_bypassauthorization_code_theftapi_secret_exfiltration

$ ls tags/ techniques/

unicode nodejs express admin_bot punycode open_redirect oauth idn_homograph redirect_uri_bypass authorization_code_theft

token_exchangeidn_homograph_attackoauth_redirect_uri_bypassauthorization_code_theftapi_secret_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 173 — ConnectHub — OAuth Open Redirect via URL Userinfo Bypass— hackadvisor
[web][Pro]Lab 35 — GateKeeper SSO — Open Redirect via Regex URI Validation— hackadvisor
[web][Pro]DevRelay — Open Redirect in OAuth Authorization— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor
[web][Pro]Lab 273 — AuthForge — SSRF via OAuth Dynamic Client Registration— hackadvisor