1 min read

Bypassing Okta SSO=> HTTPS/HTTP

Bypassing Okta SSO=> HTTPS/HTTP

Summary:

When doing recon on Yahoo assets during Hackerone AWC 2023, I found a host foo.bar.yahoo.com. I thought it must be some internal tool for engineers, few pages are listed but clicking on any of the pages redirects to Okta SSO. I found a bug during black box testing, http instead of https bypassed the Okta and the host was accessible.

Reproduction Steps:

  1. Check the hostname foo.bar.yahoo.com on the wayback machine.
  2. Found an indexed page: https://foo.bar.yahoo.com/page1/endpoint/
  3. Go to this page and it redirects to Okta SSO.
  4. Probe for https and http both ports with httpx .
  5. http://foo.bar.yahoo.com/page1/endpoint also got in results.
  6. Content-Length of both pages https and http were different.
  7. Go to http://foo.bar.yahoo.com/page/endpoint and the whole page was directly accessible.

The host is showing adtraffic. I tried to google these terms, ended up reporting to the team directly since the terms and results were out of my brain's scope.

Timeline:

  1. 14 March 2023 - Reported to Yahoo Team (via HackerOne)
  2. 15 March 2023 - Status changed to Pending Program Review by HackerOne
  3. 18 March 2023 - Triaged by Yahoo Staff
  4. 7th April 2023 - Rewarded
  5. 3rd May 2023 - Resolved

Causes of this finding:

I'm still curious to know how it worked. There are a few guesses I made on the reasons why it could have happened. I am still not sure why it worked this way.

  1. Access port 80 instead of port 443 and bypass Okta?
  2. Server misconfiguration while setting up SSL.

Future work: Research the cause by setting up Okta locally.

Happy Hacking!!

Looking for Continuous Frontend Security?

Jsmon helps you detect and prevent JavaScript security risks such as hardcoded secrets, exposed API keys, and client-side vulnerabilities.

Get a Free Demo Today
Jsmon Dashboard