Saturday, May 31, 2014

XSS in OAuth flow of Paypal

Again, One fine night while playing with Paypal's REST API lead to XSS in their OAuth flow.
I quickly made a working POC and sent to paypal.

POC:
Paypal REST API provides a simple payment solution.
So, basically one needs to create an application in developers section and integrate it with the website

But what lured me was "Return URL" section


I tried few vectors but there was some authentication which required "HTTP:// or HTTPS://" in the beginning of the string
But analysing the authentication it was just

"Client Side Authentication"


So, I fired up burp suite and edited the "oauth_return_url_live" parameter

Bingo, the payload was successfully injected

Lastly, all I did was put the things in order.


So, Victim visits your site and as soon as he pays you with his paypal account.
His account is your account.

This vulnerability worked in Opera and Older versions of Firefox
I was rewarded a decent bounty for this by Paypal Security

No comments:

Post a Comment