Lab: Forced OAuth profile linking
This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users' accounts.
To solve the lab, use a CSRF attack to attach your own social media profile to the admin user's account on the blog website, then access the admin panel and delete Carlos.
The admin user will open anything you send from the exploit server and they always have an active session on the blog website.
You can access your own accounts with the following credentials:
Blog website account:
Social media profile:
- While proxying traffic through Burp, log in to your account using the classic username and password login. Go to your account page and attach your social media profile to the account. Log out again and then click "Log in with social media". Observe that you are now logged in instantly via your newly linked social media account.
In the proxy history, study the series of requests for attaching a social profile. In the
GET /auth?client_id[...]request, observe that the
redirect_urifor this functionality sends the authorization code to
/oauth-linking. Importantly, notice that the request does not include a
stateparameter to protect against CSRF attacks.
- Turn on proxy interception and select the "Attach social profile" option again.
Go to Burp Proxy and forward any requests until you have intercepted the one for
GET /oauth-linking?code=[...]. Right-click on this request and select "Copy URL".
- Drop the request. This is important to ensure that the code is not used and, therefore, remains valid.
- Turn off proxy interception and log out of the blog website.
Go to the exploit server and create an
iframein which the
srcattribute points to the URL you just copied. The result should look something like this:
Deliver the exploit to the victim. When their browser loads the
iframe, it will complete the OAuth flow using your social media profile, attaching it to the admin account on the blog website.
- Go back to the blog website and select "Log in with social media". Notice that you are now logged in as the admin user. Go to the admin panel and delete Carlos to solve the lab.