The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
5
5
6
6
## Where to find
7
-
In the SSO feature. For example `Log in with google` or `Log in with facebook`.
7
+
In the SSO feature. For example the URL will be looks like this
2. Change Referral header to attacker.com while requesting OAuth.
12
-
3. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
13
-
4. OAuth Token Re-use.
14
-
5. Missing or broken state parameter.
15
-
6. Lack of origin check.
16
-
7. Open Redirection on another endpoint > Use it in redirect_uri
17
-
8. If there is an email parameter after signin then try to change the email parameter to victim's one.
18
-
9. Try to remove email from the scope and add victim's email manually.
19
-
10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
20
-
11. Check if its leaking client_secret parameter.
21
-
12. Go to the browser history and check if the token is there.
13
+
1. OAuth token stealing bychanging`redirect_uri`and Use IDN Homograph
14
+
* Normal parameter
15
+
```
16
+
&redirect_uri=https://example.com
17
+
```
18
+
* IDN Homograph
19
+
```
20
+
&redirect_uri=https://еxamplе.com
21
+
```
22
+
If you notice, im not using the normal `e`
23
+
2. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
24
+
3. OAuth Token Re-use.
25
+
4. Improper handling of state parameter
26
+
27
+
To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim