LAB #02 Forced OAuth profile linking
Understanding and exploiting an insecure OAuth account-linking implementation.

Lab Overview
This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users' accounts.
To solve the lab, use a CSRF attack to attach your own social media profile to the admin user's account on the blog website, then access the admin panel and delete carlos.
The admin user will open anything you send from the exploit server and they always have an active session on the blog website.
Credentials:
Blog website account:
wiener:peterSocial media profile:
peter.wiener:hotdog
Exploitation
#1 Logging In
As usual, after starting the lab, the provided credentials were used to log in through social media while Burp Suite captured the traffic.
Standard Authorization Code flow typically includes:
| PARAMETER | PURPOSE |
|---|---|
response_type |
Usually code for the Authorization Code flow. |
client_id |
Identifies the application requesting authorization. |
redirect_uri |
The URL where the authorization server redirects the user after authentication. |
scope |
Specifies the permissions being requested (e.g., openid profile email). |
state |
Random value to prevent CSRF attacks. Must be validated on return. |
Before entering the credential we captured the request which is usually using OAuth.
client_id: xdddru0pg8uxl4hrty90s redirect_uri: https://0aad003a0374551380a2a3b800a00051.web-security-academy.net/oauth-login response_type: code scope: openid%20profile%20email
Here we can see that the scope is missing.
Now login with the credentials:
Now logout and login with Blog website account:
We have successfully login with the Blog website account.
There is a option to Attach a social profile click it.
Click continue and capture the request
client_id: d3rj4i8qd6vgrplhnrebp redirect_uri: https://0a0100260389c4908037946a007c0037.web-security-academy.net/oauth-linking response_type: code scope: openid%20profile%20email
Here the redirect_uri is different. still there is no state parameter on this
It is a redirection to /auth which a OAuth login prosses
#2 Reusing an OAuth Authorization Code
After the social provider authenticates you, it redirects back to the application with a request like:
GET /oauth-linking?code=abc123...
The code is a temporary OAuth authorization code.
Intercept this request in Burp Suite and drop it.
Dropping the request prevents the application from exchanging the code for an access token.
The authorization code remains unused and is still valid for a short period.
First forward the request:
We will get this request with the code in it and drop it
code: RekBTYufEbFhJNShAhVyTF-p5ui8kFkr8fMFtBDb3UJ
Copy the URL containing the code
#3 Crafting the Payload
Logout and click the exploit server.
Now create a CSRF PoC and deliver it to the victim.
<html>
<head>
<title>PAYLOAD</title>
</head>
<body>
<iframe src="https://0a14008c046c044e838964cb00de001f.web-security-academy.net/oauth-linking?code=pbjHxFLY7qTs-7DX_CleYFtBe4Kf2dq1c9p_n3dlqOJ"></iframe>
</body>
</html>
First "store" the payload then "Deliver exploit to the victim"
#4 Confirming the Attack
Login again with "Login with social media".
Successfully logged in as administrator .
Got the access to admin panel.
The goal was to access the admin panel and delete carlos.
Deleted carlos!
# And That’s a Wrap
OAuth implementations should be tested just as carefully as any other authentication mechanism.



