Boost Your Hunting with extract_OAuTH

SangharshaSangharsha
2 min read

Table of contents

Idea and Insp:

It was a late night. My inbox was lighting up with Invitation for developing Fuzzer’s and tool’s for my client’s , but I kept skipping over them. Something was missing. I wanted something faster and something smarter for my client’s that aid’s to discover and exploit vulnerabilities with higher impact i.e. ATO.

I took a hand for OAuth implementation.However, finding vulnerabilities and domain’s with OAuth implementations often feels like looking for a needle in a haystack especially if you got wide scope’s & domain’s. This is where automation and tools like OAuth Extractor come into play.

With OAuth Extractor, the process became streamlined and efficient. By automating the extraction and analysis of OAuth tokens and critical authentication parameters, I systematically uncovered vulnerabilities on platforms like Substack, where my clients spend a significant amount of time.

Automation Success: Using extract_OAuth to Uncover ATO on Substack

By leveraging the power of automation with extract_OAuth, I identified and exploited subtle issues, including an open redirect vulnerability,cookie inj. This led to a critical escalation into XSS and ultimately to an Account Takeover (ATO). I submitted a detailed report with a working proof-of-concept (POC) to Substack’s team.

Installation

To get started with extract_OAuTH, follow these steps:

  1. Clone the repository to your local machine:

     git clone https://github.com/noob6t5/extract_oauth_urls.git
 cd extract_oauth_urls

  2. Ensure you have the required dependencies installed:

     pip install -r requirements.txt

Usage

Use extract_OAuTH to scan URL lists efficiently:

  1. Basic Scan:

     python3 extract.py -f /path/to/your/urls.txt

  2. Custom Output:

     python3 extract.py -f /path/to/your/urls.txt -o custom_output.txt

  3. Scan via Piping:

     cat /path/to/your/urls.txt | python3 extract.py -f -

    Case Study: Discovering ATO on Substack

    Identifying the Vulnerability:
    Using extract_OAuth, I scanned over 1,000 Substack subdomains, quickly identifying suspicious endpoints with redirect parameters.

    Crafting the Payload:
    After sending the data to my bot, it created a POC, highlighting that session and cookie data could be grabbed via XSS, though SSRF and other bugs were absent. For demonstration, I manually crafted a malicious POC:

     https://substack.com/reader-onboarding?isAbbreviated=true&redirect=https://<ngrok-url>/nothing.html

    Exploitation:
    The bot flagged the potential for session hijacking. I escalated the issue, demonstrating a complete ATO by leveraging XSS to hijack the victim’s session.

    While I cannot share the full POC or screenshots due to ethical considerations, you can verify my contribution in Substack’s Hall of Fame.

Let’s Build Automation for You!

Are you looking to enhance your security systems or workflows? Contact me for collaboration opportunities or custom tool development. Together, we can build smarter, faster, and more secure solutions for your (codebases, systems, kernels, web applications, and LLMs)

Reach out via GitHub or Twitter.

1
Subscribe to my newsletter

Read articles from Sangharsha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

automationsecurity testing

Written by

Sangharsha
Sangharsha

Aspiring developer and security enthusiast.