Stealing OAuth access tokens via a proxy page

Date: 10, August, 2021

Author: Dhilip Sanjay S

Task

• This lab uses an OAuth service to allow users to log in with their social media account.

• Flawed validation by the OAuth service makes it possible for an attacker to leak access tokens to arbitrary pages on the client application.

• To solve the lab, identify a secondary vulnerability in the client application and use this as a proxy to steal an access token for the admin user's account.

• Use the access token to obtain the admin's API key and submit the solution using the button provided in the lab banner.

• The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.

• You can log in via your own social media account using the following credentials: wiener:peter.

Solution

• The comment section of the blog is an iframe, which uses postMessage():

parent.postMessage({type: 'onload', data: window.location.href}, '*')
function submitForm(form, ev) {
    ev.preventDefault();
    const formData = new FormData(document.getElementById("comment-form"));
    const hashParams = new URLSearchParams(window.location.hash.substr(1));
    const o = {};
    formData.forEach((v, k) => o[k] = v);
    hashParams.forEach((v, k) => o[k] = v);
    parent.postMessage({type: 'oncomment', content: o}, '*');
    form.reset();
}        

Exploit code

Access Token

• We get the access token in the logs of the exploit server.

API Key

• Now in the OAuth flow - /me request, replace the Bearer token with admin's token.

• You'll get the API key. Submit it to solve the lab!

References

Post Message in Javascript