Fresh Session Cookie Exploit Server

✅ Server Running: Ready to capture fresh session cookies
📡 Endpoint: http://localhost:9000/collect
🎯 Sessions Captured: 3

🧪 Test the Vulnerability

⚡ NestJS Login Redirect - Fresh Session Cookie Capture

No domain setup needed! Works with localhost directly!

Enter your target backend URL:

What happens:
1. Victim is sent through OAuth login flow
2. After successful login, victim is redirected to this server
3. Fresh session cookie is captured immediately! 🎯
4. Works because returnUrl parameter has ZERO validation
5. Optionally captures additional credentials via fake login form

📍 Typical vulnerable endpoint pattern: /auth/*/login?returnUrl=

⚠️ Why This is Critical

Zero validation on redirect URLs - Any external URL accepted

Fresh session cookies captured - Full authentication immediately after login

No user interaction required - Just click a link

Works with localhost - No domain registration needed for testing

Credential harvesting - Fake login page can capture additional credentials

🛡️ How to Fix

// Implement proper URL validation: private validateReturnUrl(returnUrl: string | undefined): string { if (!returnUrl || returnUrl === 'undefined') { return this.configService.frontendUrl; } try { const parsed = new URL(returnUrl); const allowedHosts = [ 'your-frontend.com', 'your-domain.com' // DO NOT include localhost in production! ]; // Exact hostname match only if (allowedHosts.includes(parsed.hostname)) { return returnUrl; } } catch (e) { // Invalid URL format } // Default to safe URL return this.configService.frontendUrl; } // Then use in your controller: @Get('login') async login(@Query('returnUrl') returnUrl: string) { const safeReturnUrl = this.validateReturnUrl(returnUrl); // Use safeReturnUrl for redirects }

🚨 Fresh Session Cookie Exploit Server

📊 Status

🧪 Test the Vulnerability

⚡ NestJS Login Redirect - Fresh Session Cookie Capture

📊 Monitor Results

⚠️ Why This is Critical

🛡️ How to Fix

🔗 Additional Resources