Comment by Uvix

3 years ago

The Harvest redirect_uri is registered with Microsoft. Harvest implements its own redirect after the Microsoft OAuth server redirects to them, based on the data in the state.

3 comments

Uvix

matja 3 years ago

I agree the fact that Harvest blindly redirects helps enable the attack, but according to the OAuth standard, a redirect_uri which does match a registered one should not be accepted before authorization takes place.

From the POC authorization URL, the redirect_uri parameter and value are:

    redirect_uri=https%3A%2F%2Foutlook-integration.harvestapp.com%2Fauth%2Foutlook-calendar%2Fcallback?state=%7b%22return_to%22:%22/time%22%2c%22subdomain%22:%22example.com/%22%7d

So if Harvest registered the redirect_uri as:

    https%3A%2F%2Foutlook-integration.harvestapp.com%2Fauth%2Foutlook-calendar%2Fcallback

then why does any extra URL parameters added to that value get accepted by the Microsoft OAuth server before authorization, when they clearly do not match the registered one?

edit: I tried authorizing using another OAuth server provider, with a changed redirect_uri by appending URL parameters to the encoded value, and the OAuth server (I believe, quite rightly) rejected the authorization request.

Uvix 3 years ago
Allowing the query string to be altered is allowed but discouraged by the OAuth 2.0 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2....
- matja 3 years ago
  
  Interesting, thanks!