OAuth Vulnerability Exposes 1 Million Websites To XSS Attacks

Despite robust defenses, Cross-Site Scripting (XSS) remains a persistent web vulnerability, as its exploitation has become increasingly challenging.

A recent discovery highlights how integrating OAuth, a modern authentication standard, with vulnerable websites can resurrect XSS risks. 

By manipulating OAuth flows and leveraging existing XSS flaws, attackers can potentially compromise sensitive data and execute malicious actions, bypassing traditional protections and enabling account takeover on millions of websites. 

XSS, a longstanding web vulnerability, permits attackers to inject malicious scripts into legitimate web pages, tricking users into executing them.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

While traditional XSS defenses like input validation and output encoding have mitigated many risks, the evolution of web applications and the increasing reliance on OAuth for authentication have introduced new attack vectors. 

By leveraging XSS vulnerabilities, attackers can potentially steal OAuth tokens, granting them unauthorized access to user accounts and sensitive data across multiple platforms. 

A vulnerable website that echoes user input creates an XSS vulnerability. By injecting malicious HTML/JS disguised as user input, attackers can execute arbitrary code in the victim’s browser. 

It can be used for simple attacks like displaying an alert box, but it gets serious when the target site stores sensitive information like cookies.

A crafted XSS attack can steal these cookies, granting the attacker access to the victim’s account (full takeover) if the cookies contain authentication credentials. 

Developers can implement several strategies to prevent XSS attacks. Manual input sanitization and output encoding require developers to ensure user input isn’t interpreted as malicious code. 

Modern web frameworks provide automatic escaping to prevent embedded values from being executed. The HTTP-Only attribute protects cookies from being accessed by client-side scripts. 

Content Security Policy (CSP) allows administrators to specify trusted sources for content, blocking malicious scripts.

While these methods are essential, they are not foolproof, and attackers may still find ways to bypass them.  

Salt Security describes a security vulnerability in Hotjar, a web analytics tool, which uses a parameter called “next” in the URL to redirect users.

The attacker can exploit this vulnerability by inserting malicious code into the “next” parameter and have the browser redirect the user. 

They found this vulnerability by searching for sources of user input in the Hotjar JavaScript code and then debugging the code to see how it is processed.

An attacker exploited an XSS vulnerability on a website using OAuth for social login. The website’s cookies were protected with the HTTP-Only flag, making them inaccessible to JavaScript. 

However, the attacker leveraged the fact that the OAuth token was included in the URL after a successful login.

Malicious JavaScript code initiated a new OAuth login in a separate window, and then the token was read from the URL fragment of that window. 

This stolen token allowed the attacker to take over the victim’s account and potentially access sensitive information like recordings of user activity, including keyboard strokes and mouse movements.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access