webPromedium

CloudPulse — OAuth CSRF Account Takeover via Missing State Parameter

hackadvisor

Task: Express.js cloud monitoring platform with ConnectID SSO integration, admin bot visits support ticket URLs. Solution: OAuth CSRF via missing state parameter — register attacker ConnectID, capture authorization code, deliver callback URL to admin via support ticket, admin bot links attacker's ConnectID to admin account, then login as admin via ConnectID.

$ ls tags/ techniques/

nodejs express privilege_escalation csrf admin_bot decoy_flag account_takeover sso oauth missing_state_parameter connectid

admin_bot_exploitationauthorization_code_interceptiondecoy_flag_evasionoauth_csrf_missing_stateoauth_account_linking_csrfprivilege_escalation_via_oauth

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]DevPulse — CSRF via JSON Content-Type Bypass— hackadvisor
[web][Pro]CloudPulse— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][Pro]Lab 69 — TeamPulse — Reflected XSS in OAuth2 Error Callback— hackadvisor
[web][Pro]TeamPulse — Broken Authorization in Team Invitation Roles— hackadvisor