Here is through Netease Account Login 56 network authorization page: https://api.t.163.com/oauth2/authorize? Client_id = II5coZy8DdAtKt7a & redirect_uri = http % 3A % 2F % 2Fapp.56.com % 2 Fcooperate % 2Findex. php % 3 Faction % 3 DWeibo o % 26tag % 3Dwy % 26do % 3 DCheckLogin % 26 from % 3 Dregbox & response_type = code & state = unk-qogvtqoomz among them, client_id (similar to appkey) bind to redirect_uri. If you change the redirect_uri parameter to another domain name, an error is returned: {"request": "/oau2/ authorize", "error": "error = redirect_uri_mismatch ", "error_code": "401", "message_code": "a0000153"} vulnerability exists in the redirect_uri parameter. The redirect_uri parameter can be % 40 to bypass the validity check. We construct an address: https://api.t.163.com/oauth2/authorize? Client_id = II5coZy8DdAtKt7a & redirect_uri = http % 3A % 2F % 2Fapp.56.com % 40wooyun.org where the decoded redirect_uri parameter is: http://app.56.com @ wooyun.org successfully bypasses the validity check. After logging on to the system, the authorization is successfully redirected to the address we specified. The token is leaked:
Hazard: hackers can create a page to record and hijack user tokens, and then control user accounts.Solution:Enhance redirect_uri Parameter Validation