From 6e79a4284690b1d147c973c87167aaa78846547e Mon Sep 17 00:00:00 2001 From: Muhammad Daffa Date: Fri, 9 Dec 2022 15:24:15 +0700 Subject: [PATCH] updated Oauth Misconfiguration --- CVEs/2021/CVE-2021-36873.md | 13 +++++++--- OAuth Misconfiguration.md | 51 +++++++++++++++++++++++++++---------- 2 files changed, 47 insertions(+), 17 deletions(-) diff --git a/CVEs/2021/CVE-2021-36873.md b/CVEs/2021/CVE-2021-36873.md index d1e6c6c..9f50cf7 100644 --- a/CVEs/2021/CVE-2021-36873.md +++ b/CVEs/2021/CVE-2021-36873.md @@ -1,7 +1,7 @@ # CVE-2021-36873 ## Description -Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. +Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`. ## CVSS (Vector and Score) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM @@ -17,9 +17,14 @@ WordPress iQ Block Country plugin ## Steps to Reproduce 1. Login as administrator -2. - +2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php +3. Find `Message to display when people are blocked:` form +4. Input `` +5. Scroll down and press `Save Changes` button ## Proof of Concept +- Video + + > https://youtu.be/WtOiHY5R-t0 - Image -- Video \ No newline at end of file +![image](https://user-images.githubusercontent.com/36522826/202700374-52d36350-adff-4fe3-b46d-21f08955e8c6.png) \ No newline at end of file diff --git a/OAuth Misconfiguration.md b/OAuth Misconfiguration.md index bb50ba4..a47971c 100644 --- a/OAuth Misconfiguration.md +++ b/OAuth Misconfiguration.md @@ -4,21 +4,46 @@ The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account. ## Where to find -In the SSO feature. For example `Log in with google` or `Log in with facebook`. +In the SSO feature. For example the URL will be looks like this +``` +https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource +``` ## How to exploit -1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses). -2. Change Referral header to attacker.com while requesting OAuth. -3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials. -4. OAuth Token Re-use. -5. Missing or broken state parameter. -6. Lack of origin check. -7. Open Redirection on another endpoint > Use it in redirect_uri -8. If there is an email parameter after signin then try to change the email parameter to victim's one. -9. Try to remove email from the scope and add victim's email manually. -10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com -11. Check if its leaking client_secret parameter. -12. Go to the browser history and check if the token is there. +1. OAuth token stealing by changing `redirect_uri` and Use IDN Homograph + * Normal parameter + ``` + &redirect_uri=https://example.com + ``` + * IDN Homograph + ``` + &redirect_uri=https://еxamplе.com + ``` + If you notice, im not using the normal `e` +2. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials. +3. OAuth Token Re-use. +4. Improper handling of state parameter + + To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim + * CSRF Attack + ```html + Press Here + ``` +5. Lack of origin check. +6. Open Redirection on `redirect_uri` parameter + * Normal parameter + ``` + &redirect_uri=https://example.com + ``` + * Open Redirect + ``` + &redirect_uri=https://evil.com + &redirect_uri=https://example.com.evil.com + etc. + ``` +7. If there is an email parameter after signin then try to change the email parameter to victim's one. +8. Try to remove email from the scope and add victim's email manually. +9. Check if its leaking `client_secret` ## References * [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)