Hello Greeting Everyone ! Today in this Blog We will Explore How OAuth implicit flow Authentication schema Vulnerable if it not properly configured . In This Blog we will Discuss Common attacks flow on 0auth , how 0auth work .
Before We start What is 0auth ?
OAuth is an open-standard authorization protocol or
framework that provides applications the ability for “secure designated
access.” Suppose you can tell Facebook
that it’s OK for securiumsolutioons.com to access your profile or post updates
to your timeline without having to give securium your Facebook password. This is How 0auth Flow work .
As below Some Important Element which are important to
understand in an OAuth 2.0 contex,
resource owner, resource server, client application, authorization server, client_id, client_secret, response_type, scope, redirect_uri, state, implicit grant_type
On 0auth this elements which has different functionality it carries Full Authentication For user .
Common Security Risk: 0auth has Different Security Issue If You forgot To Configure It properly This Cause
- Authentication bypass via OAuth implicit grant flow
- Forced OAuth profile linking
- OAuth account hijacking via redirect_uri
- Stealing OAuth access tokens via an open
redirect - Stealing OAuth access tokens via a proxy page
Authentication bypass via OAuth implicit flow Example Attack Scenario :
We have LAB : https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow
Navigate to https://ac1c1f541ec59236801819cd00f9006f.web-security-academy.net/
As above picture we See We have website And See here we have Option My account section . Now Click On My account which is 0auth authentication flow , Look Below Picture As we See Social Login
As above picture we see Social Login which contain 0auth Now After Successfully Logged In It will ask you to allow to access service as below Picture:
Now as above picture Continue Which Creates authorization After Continue It Process another Request As Below Picture
Now it carries token and username email Now Here Change Email To Victim In Our case Victim Is carlos@carlos-montoya.net
As above picture we change email To Victim And Forward This Request and As result Cause account takeover and Now we can access Victim account carlos
As above We successfully Logged In
As Victim It Possible Due to validation bypass in “email” parameter in OAUTH
flow, Flawed validation by the client application makes it possible for an
attacker to log in to other users’ accounts without knowing their password.
Conclusion
In This Blog We Discussed How 0auth flow work We discussed How Basic auth misconfiguration lead to takeover user account . There’s plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the common issue that you will see. These misconfigurations are surprisingly common.
Thanks For Reading……. See You
In Another Blog!
Stick With Our Blog : https://securiumsolutions.com/blog/