Change OAuth Target URL & Domain Description [ UI redress attack ]

May 10, 2013

I forgot to blog about my another Google bug.  Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out ! :)

To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.

Status: Fixed

OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

Vulnerable URL :

On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.

As Shown in the following Image :

Change OAuth Domain & Description

POC : < i f r a m e s r c = “” width=”600″ height=”600″> // Not actual POC

Header Information :

As you can see missing Header information in the below Header Information

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Special thanks to Google Security Team & G4H( Team ..

We Provide Penetration Testing

We Provide Penetration Testing