OAuth 2.0 Protocol Penetration Testing
Cited from TryHackMe THM Room OAuth Vulnerabilities
1) OAuth Application Identification
The first indication that an application uses OAuth is often found in the login process. Look for options allowing users to log in using external service providers like Google, Facebook, and GitHub. These options typically redirect users to the service provider's authorization page, which strongly signals that OAuth is in use.
When analyzing the network traffic during the login process, pay attention to HTTP redirects. OAuth implementations will generally redirect the browser to an authorization server's URL. This URL often contains specific query parameters, such as response_type, client_id, redirect_uri, scope, and state. These parameters are indicative of an OAuth flow in progress. For example, a URL might look like this:
https://dev.coffee.thm/authorize?response_type=code&client_id=AppClientID&redirect_uri=https://dev.coffee.thm/callback&scope=profile&state=xyzSecure123Once you have confirmed that OAuth is being used, the next step is to identify the specific framework or library the application employs. This can provide insights into potential vulnerabilities and the appropriate security assessments. Here are some strategies to identify the OAuth framework:
1) HTTP Headers and Responses
2) Source Code Analysis
3) Authorization and Token Endpoints
4) Error Messages
2) Stealing OAuth Token
The attacker has compromised a domain that is part of the OAuth flow, more specifically, the redirect_uri domain that the OAuth flow points to.
Attacker sends a link via social engineering to the victim, and while the victim enters his credentials, the attacker hijacks his OAuth token because the domain that the token passes through in the OAuth flow goes to the attacker controlled domain that can host any content the attacker wants inside the compromised domain.
The HTML files in this example are in the scripts folder in this repository.
After the attacker intercepts the authorization code with this technique, he can go to the callback URL endpoint of the OAuth application, and insert the intercepted authorization code to finally steal the access token of the victim.
3) Cross-Site Request Forgery (CSRF)
Requirements: Missing the state parameter in the OAuth URL. If the state parameter is present, the CSRF attack is not possible.
To prepare the payload, the attacker must get his authorization code. This can be done by intercepting the authorization process using a tool like Burp Suite or any other network interception tool.
Example URL intercepted with Burp:
Attacker enters his credentials after he visits the above link to get his authorization code to conduct the attack.
The above authorization code would enable anyone to get an access token against it. The URL parameter in the response is the actual payload that we need to send to the victim. Copy the Payload value, which we will use while launching the attack.
Once the attacker has obtained the authorization code, he can prepare the CSRF payload.
Attacker then, sends an email to the victim via social engineering.
After receiving the email, if the victim clicks on the link or executes it in his browser (where xxx is the attacker's authorization code), the attacker's CoffeeShopApp OAuth account will be linked to the victim's account. This effectively transfers all the contacts from the victim's account to the attacker's.
Victim logs into the client app with his credentials.
Victim executes the attacker exploit sent by him by with his browser.
As discussed above, the exact link sent to the victim is the URL parameter received during the Preparing the Payload process. Once executed, the code will make a call to get the access token and send contacts/messages to the attacker's account.
4) Implicit Grant Flow
In the implicit grant flow, tokens are directly returned to the client via the browser without requiring an intermediary authorization code. This flow is primarily used by single-page applications and is designed for public clients who cannot securely store client secrets. However, this flow has inherent vulnerabilities:
1) Exposing Access Token in URL
2) Inadequate Validation of Redirect URIs
3) No HTTPS Implementation
4) Improper Handling of Access Tokens
Use "access_token_xss" payload to steal the access token with this vulnerability
TIP: Since OAuth 2.1, Implicit Grant Flow has been completely deprecated from this version.
5) Insufficient Token Expiry
Access tokens with long or infinite lifetimes pose a significant security risk. If an attacker obtains such a token, they can access protected resources indefinitely. Implementing short-lived access and refresh tokens helps mitigate this risk by limiting the window of opportunity for attackers.
6) Replay Attacks
Replay attacks involve capturing valid tokens and reusing them to gain unauthorized access. Attackers can exploit tokens multiple times without mechanisms to detect and prevent token reuse. Implementing nonce values and timestamp checks can help mitigate replay attacks by ensuring each token is used only once.
7) Insecure Storage of Tokens
Storing access tokens and refresh tokens insecurely (e.g., in local storage or unencrypted files) can lead to token theft and unauthorized access. Using secure storage mechanisms, such as secure cookies or encrypted databases, can protect tokens from being accessed by malicious actors.
Last updated