Lab: OAuth account hijacking via redirect_uri
This lab uses an OAuth service to allow users to log in with their social media account. A misconfiguration by the OAuth provider makes it possible for an attacker to steal authorization codes associated with other users' accounts.
To solve the lab, steal an authorization code associated with the admin user, then use it to access their account and delete Carlos.
The admin user will open anything you send from the exploit server and they always have an active session with the OAuth service.
You can log in with your own social media account using the following credentials:
- With proxying traffic through Burp, complete the "Log in with social media" process.
- Log out of your account on the blog website and click "Log in with social media" again. Notice that the OAuth service does not ask for credentials because you already have an active session.
In Burp, study the OAuth flow in the proxy history and identify the most recent authorization request. This should start with
GET /auth?client_id=[...]. Notice that when this request is sent, you are immediately redirected to the
redirect_urialong with the authorization code in the query string. Send this authorization request to Burp Repeater.
In Burp Repeater, observe that you can submit any arbitrary value as the
redirect_uriwithout encountering an error. Notice that your input is used to generate the redirect in the response.
redirect_urito point to the exploit server, then send the request and follow the redirect. Go to the exploit server's access log and observe that there is a log entry containing an authorization code. This confirms that you can leak authorization codes to an external domain.
Go back to the exploit server and create the following
Store the exploit and click "View exploit". Check that your
iframeloads and then check the exploit server's access log. If everything is working correctly, you should see another request with a leaked code.
- Deliver the exploit to the victim, then go back to the access log and copy the victim's code from the resulting request.
Log out of the blog website and then use the stolen code to navigate to
https://YOUR-LAB-ID.web-security-academy.net/oauth-callback?code=STOLEN-CODE. The rest of the OAuth flow will be completed automatically and you will be logged in as the admin user. Open the admin panel and delete Carlos to solve the lab.