daffainfo
/
AllAboutBugBounty
mirror of https://github.com/daffainfo/AllAboutBugBounty.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
AllAboutBugBounty/OAuth Misconfiguration.md

50 lines
2.2 KiB
Markdown
Raw Permalink Normal View History

Major Update, adding some tips
2021-07-21 15:38:57 +00:00
# OAuth Misconfiguration
Update structure each readme
2022-06-15 10:38:42 +00:00
## Introduction
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
Add 'Where to find' in each readme, add Apache + CRLF + RFI
2022-06-22 04:41:21 +00:00
## Where to find
updated Oauth Misconfiguration
2022-12-09 08:24:15 +00:00
In the SSO feature. For example the URL will be looks like this
```
https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource
```
Add 'Where to find' in each readme, add Apache + CRLF + RFI
2022-06-22 04:41:21 +00:00
## How to exploit
updated Oauth Misconfiguration
2022-12-09 08:24:15 +00:00
1. OAuth token stealing by changing `redirect_uri` and Use IDN Homograph
* Normal parameter
```
&redirect_uri=https://example.com
```
* IDN Homograph
```
&redirect_uri=https://еxamplе.com
```
If you notice, im not using the normal `e`
2. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
3. OAuth Token Re-use.
4. Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
* CSRF Attack
```html
<a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
```
5. Lack of origin check.
6. Open Redirection on `redirect_uri` parameter
* Normal parameter
```
&redirect_uri=https://example.com
```
* Open Redirect
```
&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.
```
7. If there is an email parameter after signin then try to change the email parameter to victim's one.
8. Try to remove email from the scope and add victim's email manually.
9. Check if its leaking `client_secret`
Update OAuth Misconfiguration.md
2021-07-21 15:43:05 +00:00
Update structure each readme
2022-06-15 10:38:42 +00:00
## References
* [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)
* [c0d3x27](https://infosecwriteups.com/the-oauth-misconfiguration-15e66dd19a6e)