Selcouth Cyber Security Services Private Limited

OAuth 2.0 – Part Three

AppSec + InfoSec + Web Attacks acc3ssp0int todayFebruary 15, 2021 572

Background
share close

Hello everyone, in this final installation of the OAuth blog series, we’ll be covering two vulnerabilities in the OAuth implementation. If you haven’t checked out the previous parts you can check out part one here and part two here. Before we get started, a big thanks to PortSwigger and their Web Security Academy Labs!

The first lab show cases the vulnerability of OAuth’s implicit grant permissions.

The second lab shows how a specifically crafted CSRF attack can link an available token with a victim’s account.

First Lab

To achieve this we perform 2 simple steps:

  1. We will step through the complete flow with our provided credentials until we reach the /authenticate call.
  2. In this authentication call we will change the email address to Carlos’s email address and proceed logging in.

Why Does This Work?

It is because client application doesn’t validate the access token with other parts of the data in the incoming request, simply changing the parameter (in this case the email id) allowed us to impersonate as Carlos.

Second Lab

  1. We would first be logging into the application through the Login call available with wiener’s credentials.
  2. Next, we will be attempting to attach a social profile, which would be wiener’s but not complete the flow so that we can use the valid access token for our attack (since no account will be associated to it)
  3. We intercept this entire request with burp and step through the flow till we reach the /oauth-linking call. We save this URL for later to craft our attack.
  4. Once we’ve copied this URL, we’ll be dropping this authentication flow to break it, and maintain an empty access token that will be used to link the admin’s social media credentials to it. [Do not forget to remove the token from the URL when navigating back to the previous page.]
  5. We then move to our exploit server to craft a specific iframe packet that will be sent to the administrator. [This scenario assumes that the administrator clicks any link given to him]
  6. This crafted packet will require two things, one the ID of your lab. and two the AUTH token we copied earlier.
  7. The crafted CSRF payload is delivered to the victim using the deliver exploit to victim call.
  8. Once we go in, we can see that we have the option to view the admin panel, which goes to show our exploit worked and are now in control of the admin page.

Why Does This Work?

This particular vulnerability worked due to the lack of state being used by the AUTH flow.

The full video walkthrough for both the labs are published on the company’s YouTube channel. Do check it out! Apologies for minor audio issues in Lab 2 due to the microphone 🙂

That would be all for the OAuth Series, stay tuned for more content!


At Selcouth, We believe that achieving cyber security is a continuous journey in which we partner with our clients to address the everchanging threat landscape. To address such threats, get in touch with us! You can also view our full range of service offerings and trainings!

Written by: acc3ssp0int

Rate it
Previous post

InfoSec acc3ssp0int / February 9, 2021

Zero-Trust 101

Zero-Trust is an up and coming security concept which says a simple thing: “Continuously validate all users, against set security configurations, before they are being granted permissions or are allowed to keep their existing access to resources & information”. This [...]


Similar posts

AppSec w1r3sh65rk / February 22, 2021

Secure Code Review – Part One

Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...

Read more trending_flat

AppSec acc3ssp0int / February 15, 2021

OAuth 2.0 – Part Three

Hello everyone, in this final installation of the OAuth blog series, we’ll be covering two vulnerabilities in the OAuth implementation. If you haven’t checked out the previous parts you can check out part one here and part two here. Before we get started, a big thanks to PortSwigger and their Web Security Academy Labs! The ...

Read more trending_flat