I forgot to blog about my another Google bug. Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out !
To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.
Status: Fixed
OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.
Vulnerable URL : https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com
On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.
As Shown in the following Image :
Change OAuth Domain & Description
POC : < i f r a m e s r c = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″> // Not actual POC
Header Information :
As you can see missing Header information in the below Header Information
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..