OAuth Misconfiguration

Detection

In the SSO feature. For example the URL will be looks like this

https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource

Exploit

OAuth token stealing by changing redirect_uri and Use IDN Homograph
- Normal parameter
  &redirect_uri=https://example.com
- IDN Homograph
  &redirect_uri=https://еxamplе.com
If you notice, im not using the normal e
Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
OAuth Token Re-use.
Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
- CSRF Attack
  <a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
Lack of origin check.

Open Redirection on redirect_uri parameter

Normal parameter
```
&redirect_uri=https://example.com
```

Open Redirect

&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.

If there is an email parameter after signin then try to change the email parameter to victim's one.
Try to remove email from the scope and add victim's email manually.
Check if its leaking client_secret

Resources

PreviousBypass Captcha Next2FA / OTP

Last updated 23 days ago

Was this helpful?

OAuth Misconfiguration

Detection

In the SSO feature. For example the URL will be looks like this

https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource

Exploit

OAuth token stealing by changing redirect_uri and Use IDN Homograph
- Normal parameter
  &redirect_uri=https://example.com
- IDN Homograph
  &redirect_uri=https://еxamplе.com
If you notice, im not using the normal e
Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
OAuth Token Re-use.
Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
- CSRF Attack
  <a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
Lack of origin check.

Open Redirection on redirect_uri parameter

Normal parameter
```
&redirect_uri=https://example.com
```

Open Redirect

&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.

If there is an email parameter after signin then try to change the email parameter to victim's one.
Try to remove email from the scope and add victim's email manually.
Check if its leaking client_secret

Resources

Common OAuth Vulnerabilities · Doyensec's Blog

PreviousBypass Captcha Next2FA / OTP

Last updated 23 days ago

Was this helpful?