daffainfo
/
AllAboutBugBounty
mirror of https://github.com/daffainfo/AllAboutBugBounty.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated Oauth Misconfiguration

master
Muhammad Daffa 2022-12-09 15:24:15 +07:00
parent d618747c12
commit 6e79a42846
2 changed files with 47 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CVEs/2021/CVE-2021-36873.md
View File

@ -1,7 +1,7 @@
# CVE-2021-36873 # CVE-2021-36873
## Description ## Description
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`.
## CVSS (Vector and Score) ## CVSS (Vector and Score)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM
@ -17,9 +17,14 @@ WordPress iQ Block Country plugin
## Steps to Reproduce ## Steps to Reproduce
1. Login as administrator 1. Login as administrator
2. 2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php
3. Find `Message to display when people are blocked:` form
4. Input `</textarea><script>alert(1)</script>`
5. Scroll down and press `Save Changes` button
## Proof of Concept ## Proof of Concept
- Video
> https://youtu.be/WtOiHY5R-t0
- Image - Image
- Video ![image](https://user-images.githubusercontent.com/36522826/202700374-52d36350-adff-4fe3-b46d-21f08955e8c6.png)

51
OAuth Misconfiguration.md
View File

@ -4,21 +4,46 @@
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users accounts. By stealing a valid code or token, the attacker may be able to access the victim's account. The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
## Where to find ## Where to find
In the SSO feature. For example `Log in with google` or `Log in with facebook`. In the SSO feature. For example the URL will be looks like this
```
https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource
```
## How to exploit ## How to exploit
1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses). 1. OAuth token stealing by changing `redirect_uri` and Use IDN Homograph
2. Change Referral header to attacker.com while requesting OAuth. * Normal parameter
3. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials. ```
4. OAuth Token Re-use. &redirect_uri=https://example.com
5. Missing or broken state parameter. ```
6. Lack of origin check. * IDN Homograph
7. Open Redirection on another endpoint > Use it in redirect_uri ```
8. If there is an email parameter after signin then try to change the email parameter to victim's one. &redirect_uri=https://еxamplе.com
9. Try to remove email from the scope and add victim's email manually. ```
10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com If you notice, im not using the normal `e`
11. Check if its leaking client_secret parameter. 2. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
12. Go to the browser history and check if the token is there. 3. OAuth Token Re-use.
4. Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
* CSRF Attack
```html
<a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
```
5. Lack of origin check.
6. Open Redirection on `redirect_uri` parameter
* Normal parameter
```
&redirect_uri=https://example.com
```
* Open Redirect
```
&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.
```
7. If there is an email parameter after signin then try to change the email parameter to victim's one.
8. Try to remove email from the scope and add victim's email manually.
9. Check if its leaking `client_secret`
## References ## References
* [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292) * [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)