OAuth Authentication
Lab: Authentication bypass via OAuth implicit flow
During the authentication process, we can see that they send this request before redirecting us back to the home page
So to by pass the flow without the victim's password, we can just modify the request in the highlighted section during the authentication process
After sending over, we can see that we are now in the user carlos.
Lab: Forced OAuth profile linking
In the My Account page, we can see that there is a link to "Attach a social profile"
After clicking in, we are to login into our social media account.
When we look at the proxy history, we can see that there is a request to link using OAuth
So, we can just send this URL to the victim to help us to complete the OAuth flow.
First we need to intercept and drop the request to make the code still valid
Next, we will send the payload to the victim using the exploit server
After relogging in using the social media login, we become the admininistrator user.
Lab: OAuth account hijacking via redirect_uri
So during the authentication process, we can see that the redirect_uri call back to that URL.
So, we can trick the victim into sending us the code generated so that we can redirect to the victim's account instead.
First, we will send the payload over.
Next, we will copy the code from the exploit server
Finally, we will just redo the auth flow but replace the code parameter.
After which, we are in the administrator account.
Lab: Stealing OAuth access tokens via an open redirect
There is an open redirect in the post webpage.
Next, we will try if the redirect_uri is able to reach to that page.
It turns we are able to reach to that page.
So we will use it to redirect to our exploit server.
On the exploit server, we will set this as the response body.
After which we will send it to the victim and then we are able to get the access token.
We just need to change the access token when sending the GET request to /me.
Last updated