Back to directory
WRITEUP #813

Account hijack for anyone using Google sign-in with , due to response-type switch + leaking href to XSS on login.redacted.com

OAuthXSSAccount takeover
by@sudhanshur705(Sudhanshu Rajbhar)
Program
-
Published
Sep 10, 2023
Added to HackDex
Sep 19, 2023
Read Full Writeuphttps://github.com/Sudistark/xss-writeups/blob/main/oauth-dance.md
RELATED WRITEUPS
Self-XSS to ATO via Site Features
XSSSelf-XSS
Stealing First Party Access Token of Facebook Users: Meta Bug Bounty
OAuthAccount takeover
Over 1 Million websites are at risk of sensitive information leakage - XSS is dead. Long live XSS
XSSOAuth
Self XSS + Login CSRF + OAuth = Account Takeover
Auth BypassAccount takeover
Interesting Story of an Account Takeover Vulnerability
Auth BypassAccount takeover

Built with ❤️ by Shubham Rawat