Posts

Showing posts from October, 2017
Image
DOM XSS – auth.uber.com 


So, after reading a lot of write ups about bug bounty its finally time to write one of my own. I hope that you will be able to take something from this into your bug bounty journey.
I don’t do much bug bounty, but I love to read write ups about bugs that have been found by other bug bounty hunters as I think it’s one of the best ways to learn new techniques.
This write up will be about a DOM XSS I found in auth.uber.com domain.
It all started with this link: https://auth.uber.com/login/?next_url=https%3A%2F%2Faccounts.uber.com%2Fprofile%2F&state=CISjEn7fDHVmQybjIOq_ZfPU8cVhJh9mOSsme-LYJUo%3D
Probably most of uber users are familiar with this one, but if you don’t here is the deal: First behavior: When an unauthenticated user tries to visit an uber domain such as m.uber.com, riders.uber.com and more, those domains will redirect him to the login screen at auth.uber.com and will include a parameter named next_url which is responsible for redirecting the us…