OAUTH TO ATO
How to differentiate between implicit and authorization code grant type
In OAuth there are 2 types of flows/grant types:
Authorization code flow
Implicit flow
Note: if the oauth service uses authorization code flow then there is little to no chance of finding a bug but if the oauth service uses implicit flow then there is a good chance of finding bugs
How to differentiate between implicit and authorization code grant type
Authorization code grant type
1- Authorization request
When you send an authorization request to the oauth service in the client application , The client application sends a request to the OAuth service's
/authorization
endpoint asking for permission to access specific user data.
Note: the endpoint name can be different according to the application like
/auth
etc. but you can identify them based on the parameters used.
The request in authorization code flow looks like:
So, in authorization code grant type the
response_type
parameter should becode
. this code is used to request access token from the oauth service.Now, after the user login to their account with the OAuth provider and gives consent to access their data. the user will be redirected to the
/callback
endpoint that was specified in theredirect_uri
parameter of the authorization request. The resultingGET
request will contain the authorization code as a query parameter.
2- Authorization code grant
Rest of the stuff like access token grant and API calls are done in the back-end so you cannot see them in your proxy.
factors that determine authorization code flow:
Initial authorization request has
response_type=code
the
/callback
request contains authorization code as a parameter.
Implicit grant type
Authorization request
The implicit flow starts in pretty much the same way as the authorization code flow. The only major difference is that the
response_type
parameter must be set totoken
.
Access Token grant
If the user logs in and gives their consent to the request access , the oauth service redirects the user to the
/callback
endpoint but instead of sending a parameter containing an authorization code, it will send the access token and other token-specific data as a URL fragment.
factors that determine Implicit flow:
Initial authorization request has
response_type=token
the
/callback
request contains access token as a parameter.
Authentication bypass via OAuth implicit flow
To log the user in every time with oauth , the client application sends a POST request to the server containing user info (email-id, username) and access token to generate a session cookie.
so, find a POST req in http history which contains user-info and access token.
Usually in implicit flow , the server doesn't validate the access token so you can change the parameters like email-id and/or username to impersonate another user and bypass authentication.
Forced OAuth profile linking
This is similar to a traditional CSRF attack so the impact may not be that much.
In this when you sign in with social media profile, you will be redirected to the social media website and then you log in with social media credentials.
Now the next time when you log in , you will be logged in instantly. capture this request with burp.
In the http history there would be a request similar to
/auth?client_id[...]
. In that request the redirect_uri sends the authorization code to something like/oauth-linking
. Check if thestate
parameter is present. if its not present then it is vulnerable to CSRF attacks. because that means there is no way for server to verify if this information is from the same user.So absence of
state
parameter in this request is itself a vulnerability.Past this you can try sending the exploit link to the victim and complete the oauth flow by attaching your social media profile to their account.
For this copy URL of the request in burp and drop the request so that the code isn't used.
Turn off intercept and log out of website.
Now you can send this link to the victim or you can set it as an iframe on your website
<iframe src="request URL"></iframe>
. and deliver your website link to the victim.When their browser loads the
iframe
, it will complete the OAuth flow using your social media profile, attaching it to the victim account.
Insufficient Redirect URI Validation
The redirect_uri
is very important because sensitive data, such as the **code**
is appended to this URL after authorization. If the redirect_uri
can be redirected to an attacker controlled server, this means the attacker can potentially takeover a victim’s account by using the code
themselves, and gaining access to the victim’s data.
The way this is going to be exploited is going to vary by authorization server. Some will only accept the exact same **redirect_uri**
path as specified in the client application, but some will accept anything in the same domain or subdirectory of the redirect_uri
.
Open redirects:
https://yourtweetreader.com
/callback?redirectUrl=https://evil.com
Path traversal:
https://yourtweetreader.com/callback/../redirect?url=https://evil.com
Weak
redirect_uri
regexes:https://yourtweetreader.com.evil.com
HTML Injection and stealing tokens via referer header:
https://yourtweetreader.com/callback/home/attackerimg.jpg
XSS in redirect implementation As mentioned in this bug bounty report https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html it might be possible that the redirect URL is being reflected in the response of the server after the user authenticates, being vulnerable to XSS. Possible payload to test:
https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard</script><h1>test</h1>
Other parameters that can be vulnerable to Open Redirects are: - client_uri - URL of the home page of the client application - policy_uri - URL that the Relying Party client application provides so that the end user can read about how their profile data will be used. - tos_uri - URL that the Relying Party client provides so that the end user can read about the Relying Party's terms of service. - initiate_login_uri - URI using the https scheme that a third party can use to initiate a login by the RP. Also should be used for client-side redirection
If you target an OpenID server, the discovery endpoint at **
.well-known/openid-configuration
**sometimes contains parameters such as "registration_endpoint", "request_uri_parameter_supported", and "require_request_uri_registration". These can help you to find the registration endpoint and other server configuration values.
Pre - Account take Over
One of the other more common issues I see is when applications allow “Sign in with X” but also username/password. There are 2 different ways to attack this:
If the application does not require email verification on account creation, try creating an account with a victim’s email address and attacker password before the victim has registered. If the victim then tries to register or sign in with a third party, such as Google, it’s possible the application will do a lookup, see that email is already registered, then link their Google account to the attacker created account. This is a “pre account takeover” where an attacker will have access to the victim’s account if they created it prior to the victim registering.
If an OAuth app does not require email verification, try signing up with that OAuth app and then change the email address with a victim’s email address. The same issue as above could exist, but you’d be attacking it from the other direction and getting access to the victim’s account for an account takeover
if target enable self confirmation for email change you can try to change your email to non-registered victim account and then try to login with your old OAUTH
Disclosure of Secrets
It’s very important to recognize which of the many OAuth parameters are secret, and to protect those. For example, leaking the client_id
is perfectly fine and necessary, but leaking the client_secret
is dangerous. If this is leaked, the attacker can potentially abuse the trust and identity of the trusted client application to steal user access_tokens
and private information/access for their integrated accounts. Going back to our earlier example, one issue I’ve seen is performing this step from the client, instead of the server:
https://yourtweetreader.com will then take that
code
, and using their application’sclient_id
andclient_secret
, will make a request from the server to retrieve anaccess_token
on behalf of you, which will allow them to access the permissions you consented to.If this is done from the client, the
**client_secret**
will be leaked and users will be able to generate**access_tokens**
on behalf of the application. With some social engineering, they can also add more scopes to the OAuth authorization and it will all appear legitimate as the request will come from the trusted client application.
Client Secret Brute_Force
You can try to bruteforce the client_secret of a service provider with the identity provider in order to be try to steal accounts. The request to BF may look similar to:
Referrer Header leaking Code + State
Once the client has the code and state, if it's reflected inside the Referrer header when he browses to a different page, then it's vulnerable.
Access Token Stored in Browser History
Go to the browser history and check if the access token is saved in there.
Everlasting Authorization Code
The authorization code should live just for some time to limit the time window where an attacker can steal and use it.
Authorization/Refresh Token not bound to client
If you can get the authorization code and use it with a different client then you can takeover other accounts.
Refresh Token -> https://medium.com/@iknowhatodo/what-about-refreshtoken-19914d3f2e46
Other Bugs
Misconfigured oauth leads to Pre account takeover
Attacker Creates Account with victim email
Victim makes account using OAUTH and login
Attacker login with old credentials he made in step1
Last updated