Search

Authentication bypass via OAuth implicit flow

Hello Greeting Everyone ! Today in this Blog We will Explore How OAuth implicit flow Authentication schema Vulnerable if it not properly configured . In This Blog we will Discuss Common attacks flow on 0auth , how 0auth work .

Before We start What is 0auth ?

OAuth is an open-standard authorization protocol or
framework that provides applications the ability for “secure designated
access.” Suppose  you can tell Facebook
that it’s OK for securiumsolutioons.com to access your profile or post updates
to your timeline without having to give securium your Facebook password.  This is How 0auth Flow work .

As below Some Important Element which are important to
understand in an OAuth 2.0 contex,

resource owner, resource server, client application, authorization server, client_id, client_secret, response_type, scope, redirect_uri, state, implicit grant_type

On 0auth this elements which has different functionality it carries Full Authentication For user .

Common Security Risk: 0auth has Different Security Issue If You forgot To Configure It properly  This Cause

  • Authentication bypass via OAuth implicit grant flow
  • Forced OAuth profile linking
  • OAuth account hijacking via redirect_uri
  • Stealing OAuth access tokens via an open
    redirect
  • Stealing OAuth access tokens via a proxy page

Authentication bypass via OAuth implicit flow Example Attack Scenario :

We have LAB : https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow

Navigate to https://ac1c1f541ec59236801819cd00f9006f.web-security-academy.net/

As above picture we See We have website And See here we have Option My account section . Now Click On My account which is 0auth authentication flow , Look Below Picture As we See Social Login

As above picture we see Social Login which contain 0auth  Now After Successfully Logged In It will ask you to allow to access service  as below Picture:

Now as above picture Continue Which Creates authorization After Continue It Process another Request As Below Picture

Now it carries token and username email Now Here Change Email To Victim  In Our case Victim Is carlos@carlos-montoya.net

As above picture we change email To Victim And Forward This Request and As result Cause account takeover and Now we can access Victim account carlos

As above We successfully Logged In

As Victim It Possible Due to validation bypass in “email” parameter in OAUTH
flow, Flawed validation by the client application makes it possible for an
attacker to log in to other users’ accounts without knowing their password.

 

Conclusion 

In This Blog We Discussed How 0auth flow work We discussed How  Basic auth misconfiguration lead to takeover user account . There’s plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the  common  issue that you will see. These misconfigurations are surprisingly common.

Thanks For Reading……. See You
In Another Blog!

Stick With Our Blog : https://securiumsolutions.com/blog/

Author : Pallab Jyoti Borah | VAPT Analyst

Table of Contents

Social Media
Facebook
Twitter
WhatsApp
LinkedIn