This video explores how a single HTML image tag combined with browser referral policy abuse can hijack user sessions and lead to account takeovers. It demonstrates the vulnerabilities in OAuth flows and how attackers can manipulate browser behavior to leak sensitive data.
Keypoints :
- A single image tag can be exploited to hijack user sessions by manipulating browser referral headers.
- Browsers normally restrict leaking full URLs across domains using the referral policy, but setting it to βunsafe URLβ can bypass these protections.
- OAuth workflows often send sensitive tokens and data via URL query parameters, which can be leaked through manipulated referral headers.
- Attackers can abuse trusted resources and embed malicious headers to force browsers to leak full URLs, including tokens.
- A demo shows how to set up a web server that serves a minimal image with a modified referral policy header to facilitate session hijacking.
- By intercepting OAuth redirect URLs and injecting malicious image tags, an attacker can steal authorization codes and hijack accounts.
- This vulnerability emphasizes the importance of proper URL handling and browser security policies to prevent session hijacking attacks.
- Youtube Video: https://www.youtube.com/watch?v=Pi37YwraPBg
- Youtube Channel: https://www.youtube.com/channel/UCCZDt7MuC3Hzs6IH4xODLBw
- Youtube Published: Mon, 12 May 2025 13:30:19 +0000