Exploiting OAuth: Redirect_URI
OAuth/Open Authentication:
Before moving further for exploitation, we must familiar ourselves with OAuth. For this, please do check previous blog of mine i.e.
Working/Exploiting:
There is an application that allows users to log in via social media. It uses OAuth to do the authentication of the user from a social media website.
As I click on “Login with social media,” it redirects me to a login page. After providing the credentials, it redirects to the website and authentication was successful, intercept the login request using burp suite.
Intercepted request looks like of the OAuth look like:
We can see that there are a lot of parameters in this request which generally are in the oauth such as Client_id, redirect_uri, response_type, and scope but there is no state parameter which means that this is oauth implementation is vulnerable to CSRF
Scope parameter is used “to specify that what information the website wants to fetch from the social media account“. As I forward this request, it asks me to approve the sharing of information.
After approving the request it issues an authorization code which can be used to fetch the information specified in the scope from the social media website. This code is sent back to the application with the authorization code.
As we can see that there is no state parameter in this request as well. It means we can carry out the CSRF attack on this. The most basic step is to manipulate the redirect URI. So lets try to test the oauth request to check whether redirect URI is set hardly. Try to do the login again but this time intercept the request and replace the redirect URI with the burp Collaborator URL.
Burp collaborator address:
t93ec34t45t17wloty2gorar3i99xy.burpcollaborator.net
Complete the authentication and see whether it redirects us to the Burp Collaborator client URL with the access token.
Since it is redirecting me to the collaborator client URL it means we can carry out the authentication using the manipulating redirect_uri and can carry out the CSRF attack on this.
With this URL, create a CSRF POC by using <iframe > tag. And host this on a server, send the link to the user
As soon as victim click on <iframe > tag he is redirected to the Login with social media and if he completes the login he will be redirected to the burp collaborator client url with the token and since collaborator client is logging All the request we will get the authorization code.
Now start login with social media again and then replace the code in the request that we got in the collaborator client.
After replacing, the authorization code and forwarding the request to server.
The application attaches our account with the admin account and we can carry out the tasks of the admin.
