Lab link.
The state parameter stores a unique unpredictable value that depends on the current session in the client application. The OAuth service should return exactly this value in the response along with the authorization code. The state parameter ensures that the request comes from the person who initiated the OAuth flow. The state parameter acts as a CSRF token for the client application.
If the application does not use the state parameter, the attacker can potentially hijack the victim user’s account in the client application by linking their social media account.
To examine the OAuth system requests in the lab, let’s log in with the information given to us, log out, and log in again.
We notice that there is no state parameter in the Authorization Request, the application is vulnerable to CSRF attack.
The Redirect URI is where the application will receive the authorization code and perform the next steps. Authorization code /oauth-linking will be redirected here. We go to My Account and open the proxy intercept. We click on the “Attach a social profile” link and the next requests are forwarded in the proxy intercept. We make the request “GET /oauth-linking?code=” a Copy URL and drop it. This way the code remains valid.
We go to the exploit server. Here we can use either an iframe or a window.location. By showing this iframe in the user’s browser, we fake an OAuth authentication page and as the lab says “The admin user will open anything you send from the exploit server and they always have an active session on the blog website.” the admin opens it.
a