Security concern on the api and redirect hosts

The monk

• January 05, 2021 18:25

Hi there,

I was implementing the api today and on the /users/@me endpoint there seems to be an unusual or at least unexpected behavior:

> GET /api/users/@me HTTP/1.1 Host: discord.com User-Agent: GuzzleHttp/7 Authorization: Bearer qkt9D8gSKLkBP6v49RfHf4hr5LR5Bk 
* Mark bundle as not supporting multiuse 
< HTTP/1.1 302 Moved Temporarily 
< Server: Cisco Umbrella 
< Date: Tue, 05 Jan 2021 12:17:13 GMT 
< Content-Type: text/html 
< Content-Length: 192 
< Connection: keep-alive 
< Set-Cookie: X-OpenDNS-Session=0fbcd188047c2040f00a1020370751b7e7069270fd56_c7cjzSWy; Path=/; Expires=Tue, 05-Jan-21 12:22:13 GMT 
< Location: https://discord.com.x.0fbcd188047c2040f00a1020370751b7e706.9270fd56.id.opendns.com/s/discord.com/api/users/@me?X-OpenDNS-Session=xxx 
< Via: HTTP/1.1 a_proxy_fra 

As you can see, the api redirects through the cisco open dns portal which is not a concern in itself until I figured out that the headers are not implicitly carried across (authorization header in this case) and is expected for the client to send the authorization header as part of the follow redirect. This is a huge security concern as I would be forwarding the user's tokens to a different domain (no longer discord.com as you can see), and I am not really comfortable with that.

Is this the intended behaviour or is it a glitch in the matrix?

Regards,

Stelian

1

• 

  Vasquez89

  • January 29, 2021 09:44
  • Edited

  AJAX Security · Abuse Case · Access Control Attack Surface Analysis  Unvalidated redirects and forwards are possible when a web application accepts  Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that  Sanitize input by creating a list of trusted URLs (lists of hosts or a regex).

  talktowendys

  0

Please sign in to leave a comment.