Malicious callback url can be set while creating application in identity

Medium

Inflection

Submitted None

Team Summary

Official summary from Inflection

Researcher found that while creating any application in identity, you are required to provide callback url. If you provide a malicious callback url then javascript will stop you from submitting form. But their is no server side validation and we can use an application proxy to bypass the javascript validation.

Actions:

View on HackerOne

Reported by csanuragjain

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Business Logic Errors