The intent of this blog is to help penetration testers and security researchers get a deeper understanding of the OAuth protocol. We are going to learn how to bypass authentication using OAuth’s implicit flow. Before we attack OAuth we need to have an understanding on how this wonderful protocol works.
What is OAuth?
OAuth is not an API or a service, It is a standard authorization framework that applications use to provide the client with “secure delegated access”. OAuth works over HTTPS and provides API’s, servers, and applications with access tokens rather than using credentials.
How does OAuth Work?
Many applications have used basic username and password authentication which can create problems when attempting to provide access to application data that requires account authentication. OAuth solves this problem by allowing the client to interact directly with the application resource on behalf of the resource owner using an encrypted token.
Resource Owner: The resource owner is the user/entity granting access to their protected resource
Resource Server: The resource server is the server handling authenticated requests after the application has obtained an access token on behalf of the resource owner.
Client Application: The client application is the application requesting authorization from the resource owner.
Authorization Server: The authorization server is the server issuing access tokens to the client application after successfully authenticating the resource owner and obtaining authorization.
client_id: The client_id is the identifier for the application. This is a public, non-secret unique identifier.
client_secret: The client_secret is a secret known only to the application and the authorization server. This is used to generate access_tokens
response_type: The response_type is a value to detail which type of token is being requested
The diagram below displays an overview of how OAuth works.
[/et_pb_text][et_pb_image src=”http://www.redsiege.com/wp-content/uploads/2021/03/Picture1.png” title_text=”Picture1″ force_fullwidth=”on” _builder_version=”4.9.1″ _module_preset=”default”][/et_pb_image][et_pb_text _builder_version=”4.9.1″ _module_preset=”default”]
Bypassing Authentication with OAuth
Now that we have a basic understanding of how OAuth works, we are going to walk through the steps that were taken to bypass authentication via OAuth implicit flow using the Web Security Academy Application from Port Swigger Attack Labs as an example. The screenshot below displays the Academy blogger web application.
First configure your proxy to funnel all traffic through Burp Suite, then authenticate in using the test social media account credentials username: wiener and password :peter.
While going through the steps of logging into the application, pay close attention to the captured requests before sending. The screen shot below displays the request you are going to need to capture and modify in order to bypass authentication within this OAuth application.
Note: If you happen to hit send too quickly you can also go back to the HTTP history tab within Burp Suite.
After capturing the post request, Change both the username and email address before sending off the request. As shown in the screenshot below the email address used in this case was firstname.lastname@example.org and the username was changed to bsdbandit.
After sending the modified post request, the response in my browser shows that I’m now logged in as Carlos as shown in the screenshots below.
Impact of the Attack
The reason why this attack worked was due to the validation bypass in “email” parameter in the OAuth flow, The flawed validation by the client application made it possible for an attacker to log in to another users’ account without knowing their password.
OAuth is a complex protocol, bypassing authentication using is just one of several different attacks that can occur against the OAuth protocol. This knowledge can be used to not only attack OAuth but also help developers fix any broken implementations and launch secure software.
To continue getting up to date information on all of the live events, discussions, educational webcasts and giveaways – Please subscribe to the Red Siege Email list.
Related StoriesView More
Introduction to Sliver
By Red Siege | November 7, 2022
By: Justin Palk, Security Consultant Around the time Tim decided he was going to give a Siegecast on selecting a C2, I finished building out a test Windows AD domain […]Learn More
Moving beyond T4 – Deconstructing Nmap Tuning
By Red Siege | July 6, 2022
by Alex Norman, Senior Security Consultant Nmap -T4 -iL targets.txt This is a very common scan string that many people use to get initial recon done on assessments and, to […]Learn More
Creating a Simple Windows Domain for Offensive Testing: Part 4
By Red Siege | June 23, 2022
By: Justin Palk, Security Consultant This is part four of my series of blog posts on creating a windows domain for offensive security testing. In part 1, I stood up […]Learn More