OAUTH Security Testing
Authentication Bypass via OAuth Implicit Flow
Study OAuth flow starting from the authorization request
GET /auth?client_id=[...]
.Client receives user info from the OAuth service.
Client logs in by sending a POST request to its
/authenticate
endpoint with user info and access token.In Burp Repeater, modify the email in the POST request to impersonate another user.
Right-click the POST request, select "Request in browser" > "In original session", visit the URL, and log in as another user.
Forced OAuth Profile Linking
Sign in with a social media profile.
Capture the request that includes
redirect_uri
in/auth?client_id[...]
.Check if the
state
parameter is present. If not, itβs vulnerable to CSRF.Copy the request URL from Burp, drop the request, and turn off intercept.
Log out, send the link to the victim, or use an iframe on your website.
Victim's browser completes the OAuth flow, linking your profile to their account.
CSRF
Insufficient Redirect URI Validation
Exploits:
Open Redirect: Redirect sensitive data to an attacker-controlled server.
https://yourtweetreader.com/callback?redirectUrl=https://evil.com
Redirec_uri
Bypasses
Path Traversal:
https://yourtweetreader.com/callback/../redirect?url=https://evil.com
Weak Regexes:
https://yourtweetreader.com.evil.com
HTML Injection:
https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard</script><h1>test</h1>
XSS: Reflecting redirect URL in response.
Steps:
Identify the
redirect_uri
parameter.Construct an exploit URL to steal the authorization code.
Use the stolen code to complete the OAuth flow.
SSRF via OpenID Dynamic Client Registration
Browse
/.well-known/openid-configuration
to find the registration endpoint.Create a POST request to register a client.
Test if the
logo_uri
parameter is vulnerable to SSRF.
Stealing OAuth Access Tokens via a Proxy Page
Register a client using a POST request.
Test
logo_uri
for SSRF to read metadata files.
OAuth Account without email Address
Register account with phone number in 3rd party
use this account to register on target
in settings add victim email
Microsoft nOAuth Misconfiguration
Facebook OAuth Misconfiguration
Click Sign in with Facbook
Click "Edit Access"
Uncheck Email address
You loged in without email address
OAuth Code Flaws
Reuse of authorization codes.
Brute-force attacks on codes.
Validity of a code across different applications.
Access Token Scope Abuse
Use an access token to access elevated scope endpoints.
Pre-Account Takeover
Register an account with the victim's email and attackerβs password.
Victim uses OAuth to register, linking their account to the attackerβs credentials.
ALL ATTACKS WITH PROMPT=NONE
TO MINIMISE INTERACTION
PROMPT=NONE
TO MINIMISE INTERACTIONPlay With response_mode
response_mode
The normal value to it is
&response_mode=query
By Changing it's value to fragment the code is leaked in the url after
#
character
Exploit XSS in the Authorization Server to steal Victim's code
Make
&response_mode=form_post
and the response will be for that send's post request with code and state parameter
Attacker can steal the code and state parameter using this code
POST-AUTH REDIRECT + LOGIN CSRF
There is endpoint vulnerable to open redirect using it to bypass
redirect_uri
Restrictions and using&response_mode=fragment
to send code in urlThe website is vulnerable to an open redirect. After a user logs in, we can exploit the
state
parameter to perform a CSRF attack, causing the user to log into our account after completing the OAuth process. However, to steal the user's session/code when they log into the attacker-owned account, we can use&response_mode=fragment
. This will send the user's code to an attacker-controlled site in the URL after the#
sign, along with the attacker's code in the query.
Disclosure of Secrets
Leaking
client_secret
allows attackers to generate access tokens and access user data.
Client Secret Brute Force
Brute force the
client_secret
to steal accounts.
Referrer Header Leaking Code + State
Verify if the code and state are reflected in the Referrer header when the user navigates to another page.
Access Token Stored in Browser History
Ensure access tokens are not stored in browser history.
Everlasting Authorization Code
Authorization code should have a short lifespan to limit the attack window.
Authorization/Refresh Token Not Bound to Client
Ensure tokens are bound to the specific client.
Refresh Token Issues
Race Conditions in OAuth 2 API Implementations
Verify for potential race conditions that can lead to security issues.
Summary
OAuth implementations can be vulnerable to various security issues. By understanding these vulnerabilities and following the steps outlined, you can effectively test and secure OAuth flows.
References
Last updated