Notice: _load_textdomain_just_in_time işlevi yanlış çağrıldı. Translation loading for the perfect-portfolio domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Ayrıntılı bilgi almak için lütfen WordPress hata ayıklama bölümüne bakın. (Bu ileti 6.7.0 sürümünde eklendi.) in /home/margheri/public_html/wp-includes/functions.php on line 6121
Writeup: Forced OAuth profile linking - Aleyna Doğan

Writeup: Forced OAuth profile linking

Lab link.

The state parameter stores a unique unpredictable value that depends on the current session in the client application. The OAuth service should return exactly this value in the response along with the authorization code. The state parameter ensures that the request comes from the person who initiated the OAuth flow. The state parameter acts as a CSRF token for the client application.

If the application does not use the state parameter, the attacker can potentially hijack the victim user’s account in the client application by linking their social media account.

To examine the OAuth system requests in the lab, let’s log in with the information given to us, log out, and log in again.

We notice that there is no state parameter in the Authorization Request, the application is vulnerable to CSRF attack.

The Redirect URI is where the application will receive the authorization code and perform the next steps. Authorization code /oauth-linking will be redirected here. We go to My Account and open the proxy intercept. We click on the “Attach a social profile” link and the next requests are forwarded in the proxy intercept. We make the request “GET /oauth-linking?code=” a Copy URL and drop it. This way the code remains valid.

We go to the exploit server. Here we can use either an iframe or a window.location. By showing this iframe in the user’s browser, we fake an OAuth authentication page and as the lab says “The admin user will open anything you send from the exploit server and they always have an active session on the blog website.” the admin opens it.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir