Bypassing Okta SSO=> HTTPS/HTTP

Summary:

When doing recon on Yahoo assets during Hackerone AWC 2023, I found a host foo.bar.yahoo.com. I thought it must be some internal tool for engineers, few pages are listed but clicking on any of the pages redirects to Okta SSO. I found a bug during black box testing, http instead of https bypassed the Okta and the host was accessible.

Reproduction Steps:

1. Check the hostname foo.bar.yahoo.com on the wayback machine.
2. Found an indexed page: https://foo.bar.yahoo.com/page1/endpoint/
3. Go to this page and it redirects to Okta SSO.
4. Probe for https and http both ports with httpx .
5. http://foo.bar.yahoo.com/page1/endpoint also got in results.
6. Content-Length of both pages https and http were different.
7. Go to http://foo.bar.yahoo.com/page/endpoint and the whole page was directly accessible.

The host is showing adtraffic. I tried to google these terms, ended up reporting to the team directly since the terms and results were out of my brain's scope.

Timeline:

1. 14 March 2023 - Reported to Yahoo Team (via HackerOne)
2. 15 March 2023 - Status changed to Pending Program Review by HackerOne
3. 18 March 2023 - Triaged by Yahoo Staff
4. 7th April 2023 - Rewarded
5. 3rd May 2023 - Resolved

Causes of this finding:

I'm still curious to know how it worked. There are a few guesses I made on the reasons why it could have happened. I am still not sure why it worked this way.

1. Access port 80 instead of port 443 and bypass Okta?
2. Server misconfiguration while setting up SSL.

Future work: Research the cause by setting up Okta locally.

Happy Hacking!!