# LAB #02 Forced OAuth profile linking

## **Lab Overview**

This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users' accounts.

To solve the lab, use a CSRF attack to attach your own social media profile to the admin user's account on the blog website, then access the admin panel and delete `carlos`.

The admin user will open anything you send from the exploit server and they always have an active session on the blog website.

**Credentials:**

*   Blog website account: `wiener:peter`
    
*   Social media profile: `peter.wiener:hotdog`
    

## **Exploitation**

### #1 **Logging In**

As usual, after starting the lab, the provided credentials were used to log in through social media while Burp Suite captured the traffic.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/24cadeb9-8e83-40e0-82d6-a068d591315b.png align="center")

**Standard Authorization Code flow typically includes:**

| PARAMETER | PURPOSE |
| --- | --- |
| `response_type` | Usually `code` for the Authorization Code flow. |
| `client_id` | Identifies the application requesting authorization. |
| `redirect_uri` | The URL where the authorization server redirects the user after authentication. |
| `scope` | Specifies the permissions being requested (e.g., `openid profile email`). |
| `state` | Random value to prevent CSRF attacks. Must be validated on return. |

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/6ac8824a-e010-4c71-bbeb-4ddbba79f22e.png align="center")

Before entering the credential we captured the request which is usually using OAuth.

`client_id: xdddru0pg8uxl4hrty90s redirect_uri: https://0aad003a0374551380a2a3b800a00051.web-security-academy.net/oauth-login response_type: code scope: openid%20profile%20email`

Here we can see that the `scope` is missing.

Now login with the credentials:

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/86f9c71d-4ec3-4d5d-aad6-7ffc21ed1986.png align="center")

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/a93a6e1e-4d50-48b7-91b5-3fb425548f54.png align="center")

Now logout and login with Blog website account:

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/634c78ad-8bf0-4052-8fdd-cf3fd8fdf4a6.png align="center")

We have successfully login with the Blog website account.  
There is a option to Attach a social profile click it.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/30a46bd7-a175-461e-a998-7c34e75d9fd3.png align="center")

Click continue and capture the request

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/5c846d08-4b6d-48ae-8877-41d9791e6586.png align="center")

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/3accc828-f7d3-424f-8f43-985849b954f1.png align="center")

`client_id: d3rj4i8qd6vgrplhnrebp redirect_uri: https://0a0100260389c4908037946a007c0037.web-security-academy.net/oauth-linking response_type: code scope: openid%20profile%20email`

Here the `redirect_uri` is different. still there is no `state` parameter on this

It is a redirection to `/auth` which a OAuth login prosses

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/9ce49051-cd80-489f-8110-b960305e1c6f.png align="center")

### #2 Reusing an OAuth Authorization Code

After the social provider authenticates you, it redirects back to the application with a request like:

`GET /oauth-linking?code=abc123...`

The `code` is a temporary OAuth authorization code.

Intercept this request in Burp Suite and drop it.

*   Dropping the request prevents the application from exchanging the code for an access token.
    
*   The authorization code remains unused and is still valid for a short period.
    

First forward the request:

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/a1db8a6e-e7e6-4f8b-b4e3-b687af4a23c0.png align="center")

We will get this request with the code in it and drop it

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/a232950a-8b8c-4384-9596-0262d093c6d9.png align="center")

`code: RekBTYufEbFhJNShAhVyTF-p5ui8kFkr8fMFtBDb3UJ`

Copy the URL containing the `code`  

### **#3 Crafting the Payload**

Logout and click the exploit server.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/8d498f25-0c6c-46ba-95cc-c6145bc0f08d.png align="center")

Now create a CSRF PoC and deliver it to the victim.

```html
<html>
    <head>
        <title>PAYLOAD</title>
    </head>
    <body>
        <iframe src="https://0a14008c046c044e838964cb00de001f.web-security-academy.net/oauth-linking?code=pbjHxFLY7qTs-7DX_CleYFtBe4Kf2dq1c9p_n3dlqOJ"></iframe>
    </body>
</html>
```

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/b1b57ef0-1ba1-4b31-8086-ca8d69d4541e.png align="center")

First "store" the payload then "Deliver exploit to the victim"

### #4 Confirming the Attack

Login again with "Login with social media".

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/05ac0a52-afc3-49cd-81c3-15e0a8360a69.png align="center")

Successfully logged in as administrator .

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/3c2a9853-0cf6-4e7e-8b0e-daa90823ea17.png align="center")

Got the access to admin panel.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/8599a7a8-108a-4638-8f87-fe7e180df000.png align="center")

The goal was to access the admin panel and delete `carlos`.

Deleted carlos!

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/cebc49a4-430b-4289-94c4-3a32d8f5365f.png align="center")

## **\# And That’s a Wrap**

OAuth implementations should be tested just as carefully as any other authentication mechanism.
