OAuth Misconfiguration
Introduction
The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
Where to find
In the SSO feature. For example the URL will be looks like this
How to exploit
OAuth token stealing by changing
redirect_uri
and Use IDN HomographNormal parameter
IDN Homograph
If you notice, im not using the normal
e
Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
OAuth Token Re-use.
Improper handling of state parameter
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
CSRF Attack
Lack of origin check.
Open Redirection on
redirect_uri
parameterNormal parameter
Open Redirect
If there is an email parameter after signin then try to change the email parameter to victim's one.
Try to remove email from the scope and add victim's email manually.
Check if its leaking
client_secret
References
Last updated