Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Passing secrets in URLs is common. Session tokens, magic links, and redemption codes all show up in URLs. The risk is that a URL ends up in unwanted places: logs, browser history, analytics platforms, etc.. There have been many articles on stopping redirects and leaking secrets. But, since then, websites have become more and more hardened. So, this post focuses on applications that accept only a path instead of a full URL.

A URL contains a fragment, shown as # in the browser. This is valid on both an absolute and a relative URL. The fragment is never sent to the server, creating an interesting desync between the browser and server. This is the quirk that will be explored in this post.

The author creates a really simple Flask application with the following steps:

1. Browser makes a request to /share_redirect with the PATH that redeems the session token.
2. The server responds with a 302 redirect, leading the browser to make another request to the server with the session token in the URL.
3. The browser gets redirected to the final destination after redeeming the token.

Using the fragment, it's possible to create a chain of redirects. For instance, take the URL https://example.com/share_redirect?token=SECRET&url=%23x. The server will return a 302 response with Location: #x. On the browser side, the URL is now on the same place as before, but with a slight difference in the page. The browser strips the #x from the request, and the cycle repeats itself. This difference can be used to keep this going forever. Chrome has a limit of 20 redirects and will display an application error if this limit is exceeded.

So, what's the big deal? We can make the page crash! This means that the token is A) still usable and B) within the Navigation API. By accessing the code from a same-origin page, such as via an XSS on the website, you can now use the Navigation API to recover the secret token. This leads to an account takeover with a single click. Although this can't be used on its own, it's an interesting exfiltration technique. Good article!