P2 Vulnerability -Account takeover using OAuth Misconfiguration
Vulnerability Category: A6- Security Misconfiguration
Vulnerability Description: OAuth 2.0 is an authorization framework for Web Application. It validates the identity of a user to the website which requested it without disclosing passwords to the website. Vulnerability in OAuth flow leads to takeover of victim account .
Impact: An attacker can take over the account of the victim
Severity: Medium
CVSS v3.0 Score: 4.3
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Recommendation:
Simply avoid using redirects and forwards.
If used, do not allow the URL as user input for the destination. This can usually be done. In this case, you should have a method to validate URL
If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
Force all redirects to first go through a page notifying the user that they are going off of your site, and have them click a link to confirm.
How to test:
- For example https://www.readcted.com/ is the application.
- Register to the application using email account and complete all the registration process
- Observe if the application supports OAuth functionality service providers like Facebook and Google which you can link your social accounts to the application https://www.redacted.com/
- Intercept the application using Burpsuite and Now click on Facebook icon for linking of social account to the account in https://www.redacted.com/
- Observer the request and lookout for whether state parameter is implemented or not
- If state parameter is not there which means it is vulnerable to CSRF attack
- Once you successfully authenticated then intercept the callback request from Facebook looks like below
GET /auth/facebook/callback?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
Host: redacted.com
- Generate a CSRF poc on this page and save it as poc.html
- Now create another account. which is victim account on https://www.redacted.com/ go to the setting page where you can link the social account.
- Now open poc.html page in the browser and click on submit button
- Facebook account is successfully linked with victim account on https://www.redacted.com
- Logout from the application and try to login from your social account
- Successfully logged into the victim account of https://www.redacted.com/
Tools to use:
- Generate CSRF PoC in Burp Suite
- You can use this https://security.love/CSRF-PoC-Genorator/ to generate CSRF PoC (If you don’t have BurpSuite Pro)
Thanks to Jackson kv for awesome discovery and put it into nice blog post. This post is taken from his article.
