search

OAuth Bypass

hashtag
OAuth

hashtag
Steps of OAuth

hashtag
Authorization Code

  1. Authorization Request

    • Common parameters: redirect_uri/response_type/scope/state EX: GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: oauth-authorization-server.com

  2. User Consent

  3. Authorization Code Grant

    • Common parameters: code/state

    • Vulnerable to CSRF EX: GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1 Host: client-app.com

  4. Access Token Request

    • Common parameters: client_secret/grant_type/client_id/redirect_uri/code EX: POST /token HTTP/1.1 Host: oauth-authorization-server.com … client_id=12345&client_secret=SECRET&redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=a1b2c3d4e5f6g7h8

  5. Access token grant

    • Server responds with Bearer Token

  6. API call

    • Contains Authorization header w/ Bearer Token 7 Resource grant

    • Server responds with sensitive data

Step 1: Search traffic for known OAuth parameters - client_id - redirect_uri - response_type - state Step 2: Send GET request to known OAuth Service Provider endopints - /.well-known/oauth-authorization-server - /.well-known/openid-configuration Step 3: Identify Grant Type (response_type parameter) - Authorization Code -- response_type=code - Implicit -- response_type=token (More common in SPAs and Desktop Apps) Step 4: Identify misconfigurations that can be abused - Implicit -- All data in POST request not validated when establishing session - Authorization Code -- No state parameter used -> CSRF (most impact when linking accounts) - Authorization Code / Implicit -- Steal code/token through redirect_uri ~ There are several redirect possibilities: 1. Redirect to any domain 2. Redirect to any subdomain 3. Redirect to specific domains 4. Redirect to one domain, all paths 5. Redirect to one domain, specific paths 6. Redirect to one domain, one path 7. Redirect to whitelisted domains and/or paths based on Regex 8a. Can add parameters 8b. Can add specific parameters 8c. Cannot add parameters **Note: Try using parameter pollution, SSRF/CORS defense bypass techniques, localhost.evil-server.net, etc. Step 1: Send malicious url with poisoned redirect_uri parameter Step 2: Read code/token in response Step 3: Substitute stolen code/token when logging in **Note: If redirect_uri parameter is sent with code/token, server is likely not vulnerable ~ Steal parameter data from hash fragments: if (document.location.hash){ console.log("Hash identified -- redirecting..."); window.location = '/?'+document.location.hash.substr(1); } else { console.log("No hash identified in URL"); } - Upgrade scope to access protected resources (depends on grant type): ~ Authorization Code: Step 1: Register a malicious application with the OAuth server Step 2: Victim approves limited scope Step 3: Malicious application sends POST request to /token with expanded scope Result: If the OAuth server does not validate the scope with the original request, the access token returned will have an expanded authorization ~ Implicit: Step 1: Steal access token Step 2: Manually send access token with expanded scope Result: If the OAuth server does not validate the scope with the original request, the access token returned will have an expanded authorization - Sign up with victim's email to get account takeover

PreviousSecurity MisconfigurationsNextEmail Verification bypass

Last updated