This was a usual Project Management Web Application, using Microsoft's OAuth 2.0 to authorize their users to allow them access to the application. nothing, I was like What?! An attacker can take over the victims account and compromise the system. Viewing my Profile Page, the Social Account is not there, So I started to do some analysis to understand what is going on, First thing I do in my debugging process is logging all the communications between the windows using simple extension,you can install this Chrome Extension and My console is full with data, after some filtering i found this flaw, First when i click the link button there is a postmsg with click event sent. Enable the issuing server to revoke the tokens on log out and after a particular amount of time. So it seems that before the Linking Action is taken there is something needs to load first, First thing got into my mind is why the link is not working, so when i opened the link that i dropped above I noticed an error in the console, So lets trace it, this video by STK will help you a lot, opening the callback resolver I found that the issue was in this line, so lets put some break points to see why, as u can see the problem is that the settingsService.qsParams is undefined, so we cannot continue and the process stops. Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. a. The endpoint lacked CSRF protection. and as u can see, no csrf token, In this case if the application fails to use the csrf token , an attacker could potentially hijack a victim user's account on the client application by binding it to their own social media account. Generally, the account takeover via OAuth functionality occurs due to weak implementation of redirect_uri. SaaS platforms) to access your data that is already on the Internet. JSON Web Tokens (JWTs) are a standard for representing claims securely between two parties. Properly verify the signature of the incoming token on the server side. OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization associated with other users' accounts. The cookies is used to store the user consent for the cookies in the category "Necessary". P2 Vulnerability -Account takeover using OAuth Misconfiguration, Vulnerability Category: A6- Security Misconfiguration. Account Takeover by OAuth Misconfiguration - If the application uses OAuth, there are multiple ways to perform account takeover if the OAuth is misconfigured. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization. If used, do not allow the URL as user input for the destination. 3. I was successfully authenticated to Facebook, then i intercept the callback from Facebook.when i saw the callback, i wonderedthere is no state parameter which means there is no protection from a csrf attack, so lets exploit that. So I modified my payload to close the existing script tag to check if injecting scripts is possible or not. Vulnerability Description: OAuth 2.0 is an authorization framework for Web Application. Protecting your online security is our top priority. Thus, the victim is not required to set a password. I practiced on those websites that dont even have RVDP programs or any security team. *. Lets check it out. so lets try to create iframe and send some data I read this article which is super useful to understand how to do it but the problem is I couldnt know how to send this custom event. You change the payload like here, the sub is the username. Even though I was not able to get tokens by manipulating the redirectUrl, an attack could have still been possible if somehow the parameter was vulnerable to an XSS allowing me to directly read the tokens either from the source or from the session storage. Unvalidated redirect and forward attacks may also be used to maliciously design a URL that passes the applications access control check and then redirect the attacker to privileged functionality that they would not ordinarily be allowed to access. so the impact is it does not authenticate the real user attackers can easily take over the account. These claims can include things like the users identity, the expiration time of the token, and any other relevant information. Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. I reported the bugs to them, but as we all know, there is no response from many companies Struggle Bug Hunters Face. When a user clicks on an OAuth-enabled link to log in to Site A with a social media account, Site A will then open a new window to Facebook, Google, or whatever trusted account is being used. The cookie is used to store the user consent for the cookies in the category "Performance". Oauth Misconfiguration lead to complete account takeover Hello guys. Once done with entering the needful details for signup, we were landed on the dashboard directly by using the victim email. ZOFixer.com is a platform for security professionals, system administrators, and other IT professionals. The JWT tokens are subject to the following misconfigurations; The server has implemented an HS256 algorithm to sign the token, but the server also accepts tokens with a None signature. Therefore, the security of any JWT-based mechanism relies heavily on the cryptographic signature, which verifies the authenticity of the JSON Web Token. Jan 20, 2019 -- 4 Hello guys. Implement JSON Web Token properly so the server cannot accept the JWT with no algorithm. *. when I saw this request I felt something interesting here because there is no state parameter, which means some time it may be vulnerable to csrf attack. The redirect_uri is important because sensitive data, such as the code, is appended to this URL after authorization. https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard But the vulnerability was quite interesting.Lets start !!!! It verifies a users identity to the website that requested it without giving passwords to the website. Force all redirects to first go through a page notifying the user that they are going off of your site, and have them click a link to confirm. All redirects must go through a page that informs the user that they are leaving your site and requires them to click a link to confirm. OAuth Misconfiguration Leads to Pre Account Takeover . It gives an attacker the ability to . Dont use common secrets in case of using HS256 signing algorithms. This post is taken from his article. https://example/oauthCallBack?code={code}&cid={id, https://javascript.info/cross-window-communication, https://vinothkumar.me/20000-facebook-dom-xss/, https://opnsec.com/2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/, https://portswigger.net/web-security/oauth. It contains other information like a kid and a UUID value; it is used when the server has more than one key to sign the token. Contact us to find out how Securelayer7 can help with testing Oauth 2.0 misconfigurations. Here Ramalingasamy M K(Security Researcher). Avoid using redirects and forwards based on user-provided input. Learn how your comment data is processed. Lets start with aquatone -subdomain enumeration tool, so after running that tool I got some sub-domains,ran some tools like Lazyrecon, eyewitness, nmap, dirsearch, Advanced google dorks, wappalyzer ,some scripts and tools so now we got a target website. *. Use the Up-to-date library for handling JSON Web Token tokens. Your email address will not be published. Sorry guys i cant disclose the name of the company , so we can call it as redacted.com. https://security.love/CSRF-PoC-Genorator/. So when the server receives the token, it can verify the tokens signature based on the kid parameter to map and verify it with the correct key. then sign in using gmail same as the mail that you same as the mail id used to sign up for the account. The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". Now change that to the victims username, like an administrator. *. These cookies track visitors across websites and collect information to provide customized ads. In attacker end attacker has victim email id and password to login on the https://cal.com/. Unfortunately its already reported by another security researcher. Create an account with the victim's email address. Most of the web and mobile applications these days use OAuth to secure their authorization endpoints. Then, victim can try to login through the Google Oauth SSO, what happens here victim can directly land on the dashboard by using the SSO. so I guess that this what is solving the problem. An attacker can successfully conduct a phishing scheme and steal user credentials by changing untrusted URL input to a malicious site. When I saw this option i just open Burpsuite and clicked the Facebook icon for linking my account to Facebook and intercept the request and response. OAuth 2.0 is the industry-standard authorization protocol. Your email address will not be published. its successfully logged in with my Facebook accountso i can takeover any victim account.its a simple Oauth Misconfiguration lead to full account takeover. Let's call it - https://victim.com. This is a write-up of a chain of vulnerabilities (OAuth Misconfiguration, CSRF, XSS, and Weak CSP) that allowed me to take over a user account using a single interaction. I started looking for bugs in OAuth implementation and quickly found that the state parameter was missing. ZOFixer.comsecurity scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website andactivating the 30-day trial. It prioritizes client developer convenience while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. Summary: OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user's account on another application. Integrating third party OAuth providers are often left misconfigured by developers which may lead to a bigger security impact such as account takeover. Attacker can use a victim account whenever he wants. While I was testing this target I wanted to test the OAuth flaw since it has a lot of misconfigurations that developers dont recognize,So I found that the target allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth. If the victim has admin-level privileges, it leads to sensitive information disclosure in the organization. This allows an attacker to gain pre-authentication to the victim's account. This may lead to OAuth token stealing if the token is returned along with the callback request. An attacker can take over the victims account and compromise the system. Now create another account. It also represents the type of the token, like JWT. *. There's a limitation that requires a validated email before going through the oauth flow, however this is bypassable. there is a a lot of time and searching and debugging behind the scene so always try to find the highest impact for the issue. There's a limitation that requires a validated email before going through the oauth flow, however this is bypassable . These errors occur when the token content is incorrectly set leading to security issues such as unauthorized access to services. this is my first blog based on security vulnerability that identified during the exam study leave.. . In this tutorial, we will learn how to use OAuth misconfiguration leads to full account takeover. The XSS when setting the user tokens in the session storage. .css-284b2x{margin-right:0.5rem;height:1.25rem;width:1.25rem;fill:currentColor;opacity:0.75;}.css-xsn927{margin-right:0.5rem;height:1.25rem;width:1.25rem;fill:currentColor;opacity:0.75;}5 min read. An attacker gives himself high privileges on the system or an application that is not given to regular users, like admin privileges. A JSON Web Token (JWT) is made up of 3 parts. A flaw in the OAuth flow allows for the takeover of the victims account. at this point I gaved up and created a shitty click-jacking page that the user first needs to click on the link button then i redirect him to the Oauth link. Either don't let the user enter with aouth when there's already another account created with the same email or let the user enter. OAuth 2.0 is an authorization protocol and NOT an authentication protocol. So, the attacker also having access to that account. Try to create new account by using the victim email address. The payload contains the actual claims or data being transmitted within the token. The OAuth 2.0 protocol involves several parties: - The user, - The resource owner (which may be the user or an organization) - The client (the third-party application) - The authorization server (which issues access tokens). This may lead to OAuth token stealing if the token is returned along with the callback request. 2. Now open poc.html page in the browser and click on submit button, Facebook account is successfully linked with victim account on https://www.redacted.com, Logout from the application and try to login from your social account, Successfully logged into the victim account of. Ensure to test all possible test cases for JSON Web Token misconfiguration, such as Lack of encryption, weak secret key, lack of expiration, lack of validation, lack of rate limiting, Lack of input validation, and lack of proper error handling before implementing the JWTs to avoid vulnerabilities towards these attacks. OAuth 2.0 is widely used by applications (e.g. All content is copyright protected. . Lets look at that website,the website looks like a normal webpage.I go to the signup page and the page looks like. I am a part-time bug hunter who loves to hunt bugs on web applications. Critically Sensitive Data - Private API Keys. How to bypass : You can see that, there is two methods to login and register the account.So here i already created account with victim mail,when the victim login this account using continue. The signature is used to verify that the JWT has not been tampered with and that the claims it contains are genuine. Description: OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization associated with other users' accounts. You can use the JWT editor Burp Suite extension. OAuth Account Takeover | Pentest Vulnerability Wiki. It does not store any personal data. Admin panel takeover. GET /v3.1/dialog/oauth?response_type=code&redirect_uri=https%3A%2F%2Fredacted.com%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cpublic_profile&client_id=00000000000 HTTP/1.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://redacted.com/profileCookie: fr=0rqajcCy4gEh2nJvS.redactedPv2OYVcelE.AWVp7-tG; sb=OQwFXNTRCDFUcookieLIw0; datr=OQwFXBW2scookieSe4q; wd=1366XXXXX657; locale=en_GB; c_uConnection: close. If an OAuth app does not require email verification, try signing up with that OAuth app with a victims email address. *. I will be using example.com as the website name. User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36. The way this is going to be exploited is going to vary by the authorization server. Bypassing this behaviour can frequently lead to account takeover. I was able to do and reported the same to example.com. Now start the Reconnaissance using some tools. An open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop applications. Account takeover via "Forgot your password" functionality. For those who don't know about state parameter, think of it like a CSRF token which prevents against CSRF attacks. OAuth authentication vulnerabilities arise partly because the OAuth specification is relatively vague and flexible by design. I created an account using my temporary mail and completed the email confirmation and logged into my account. A flaw in the OAuth flow allows for the takeover of the victim's account. 1. The thing that troubled me was the data ex-filtration because the connect-src directive only allowed certain domains to make connections to.In simple terms, this means I can't randomly make requests to my own server to receive the tokens. Any Settings can be changed by an attacker and, if the website has any premium or payment details that leads to leakage of sensitive information. Here's how that would have looked -. JWTs are used for a variety of purposes, including authentication and authorization. Both the header and payload are encoded as base64 strings and are separated by a period (.) I created an account using victim mail and didnt completed the email confirmation and logged into redbull account.so,here there was an confirmation email send to the registered email address(victim mail).So,the vulnerability here is bypassing the email verification. JSON Web Token Misconfiguration Leads to Account Takeover. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization. Register to the application using email account and complete all the registration process, Observe if the application supports OAuth functionality service providers like Facebook and Google which you can link your social accounts to the application https://www.redacted.com/, Intercept the application using Burpsuite and Now click on Facebook icon for linking of social account to the account in https://www.redacted.com/, Observer the request and lookout for whether state parameter is implemented or not, If state parameter is not there which means it is vulnerable to CSRF attack, Once you successfully authenticated then intercept the callback request from Facebook looks like below, Generate a CSRF poc on this page and save it as poc.html. *. Click format JSON, and send it to the server using a repeater. The cookie is used to store the user consent for the cookies in the category "Analytics". OAuth 2.0 is a Web Application Authorization Framework. 2022 SecureLayer7. If you were ever asked by web or mobile application to give permissions to access your personal data, you have probably used OAuth 2.0. If an OAuth app does not require email verification , try signing up with that OAuth app with a victim's email address . As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or users data. As a victim, I signed up and logged into the application via Google sign in. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); This site uses Akismet to reduce spam. For example, https://example.com is an application that has register and login functionality. There are two different ways to perform this attack. Leave a clap and follow for more updates. looking above again i noticed that when the SDK is triaging the click event we got a parameter called language, and the error we got is bcs the lang is not there. Until victim identifies this is attacker created account, and then until victim change the password and or adding Authenticator OTP, both of their ends the same account was accessed. But wait, there's more. Both the header and payload in a JSON Web Token (JWT) are JSON objects that contain information about the token. For bugs related to the Pocket API and getpocket.com website, OAuth Misconfiguration Leads to Pre Account Takeover, after signing up or creating an account log out. *. and as expected the data was coming from the popup page, I noticed that the popup endpoint doesnt have any dynamic tokens or csrf tokens so I crafted a simple url with the parameters that i need, https://examble.com/init?appId=staticID&lang=en-GB&genomeId=StaticID&ssoId=anyID&nextUrl=https%3A%2F%2Fexample.com%2F, when i opened it the SDk is initialized :), So I created a simple html page that loads the crafted url and then opens the Oauth callback link, also the 2FA was not available in OAuth login so we got the account :). These cookies will be stored in your browser only with your consent. 2023, ZOFixer. Which shows attacker end attacker can login through the victim email address and password, victim end victim can login through the Google Oauth SSO. Implementing a Backup Strategy for SOC 2 Type II Compliance: A Step-by-Step Guide, JSON Web Token Misconfiguration Leads to Account Takeover. which redirected me to the Microsoft login page URL mentioned in the previous section.So I tried to manipulate the redirectUrl and changed it with a server that I controlled to see if I receive the tokens but unfortunately, the application was not sending any of the tokens with the callback request which was weird. Sign up for an account with the victims name, email address and set a password. This article has helped you understand OAuth Vulnerabilities. This is the value from the redirectUrl parameter shown earlier in the initial request. I found that the example.com had a Sign-up method by using. Unvalidated redirects and forwards are conceivable when a web application takes untrusted input, which may lead the web application to redirect the request to a URL included inside the untrusted input, according to OWASP. 6. Thank you all for reading and I hope you find it useful. Now we can test this vulnerability on a victim account, I created another redacted.com test account. AWS bucket misconfiguration. But still, you can access that users account and do everything on behalf of that user. The page then redirected me to - https://app.victim.com/dashboard using window.location.replace. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. After so many months, I am back with a writeup for an interesting vulnerability i found in RedBull two days ago,but it was duplicate. While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability. There are plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the more common ones you will see. You can modify or forge your own token into it and exploit the vulnerability. If the victim then tries to register or sign in with a third party, such as Google, the application may do a lookup, see that email is already registered, then link their Google account to the attacker-created account. With this, I was able to get my three ATO in one. It verifies a user's identity to the website that requested it without giving passwords to the website. Now you have access to the victims account through email id and password you set. Either dont let the user enter with Oauth when theres already another account created with the same email or let the user enter but let him know someone else has already created an account and if it was him or not then ask him to change the password. From here, it was only one more step of data ex-filtration to my own server to steal the tokens and create a report. One major similarity between the header and payload is that they both contain information that is used to validate the authenticity and integrity of the token. But it is not actually computing signature and validating that. Unknowingly, the Victim will create an account through the Google OAuth functionality. Feb 13, 2021 -- 2 Hi Every one, My name is Yasser (AKA Neroli in CTF's) and I wanted to share this Finding with you :) Since its a private program on Bugcrowd i will call it example.com Let's start Since the server does not validate the signature, it only checks whether it is present. Vulnerability in OAuth flow leads to takeover of victim account . This can usually be done. If user input is unavoidable, ensure that the supplied value is valid, appropriate for the application, and authorized for the user. It should be noted that JSON Web Token misconfiguration leads to account takeover. Implement the following to mitigate or fix the vulnerability: The blog addresses the essential issue with OAuth 2.0 misconfiguration: the general need for built-in security features. *. Oauth :- OAuth stands for Open Authorization Framework and is the industry-standard delegation protocol for authorization. This cookie is set by GDPR Cookie Consent plugin. After some time I started to hunt for websites randomly, like we use some web applications in our day-to-day life. 3. Along with the URL validation, the endpoint should have implemented a CSRF validation. They are often used in modern web applications to transmit information between the client and the server securely. It is important to note that vulnerabilities can arise on both the client application and the OAuth service. These tokens were being stored in the browser's Session Storage using JavaScript as shown below -. Check for the Token Randomness b. Great resource -. The same issue as above could exist, but youd be attacking it from another direction and getting access to the victims account for an account takeover. OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. Learn how your comment data is processed. OAuth 2.0 is a Web Application Authorization Framework. which is victim account on https://www.redacted.com/ go to the setting page where you can link the social account. This cookie is set by GDPR Cookie Consent plugin. in the token. These cookies ensure basic functionalities and security features of the website, anonymously. V4 - Access control. TOKEN STEALING : Main Goal : >Steal access token of the application and use it to login. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive. *. Yes, you are correct. ZOFixer.com is a platform for security professionals, system administrators, and other IT professionals looking to validate the security of websites and infrastructure. I got time to rethink on how to bypass this thing, and here I read my Friend Sayed (who is great hacker btw follow him for nice write ups) post, so I did the same and I got and Idea to bypass it XD. OAuth Misconfiguration OAuth Misconfiguration OAuth Misconfiguration Open Redirect Open Redirect Open URL Redirection . The initial request was By clicking Accept All, you consent to the use of ALL the cookies. See how I found an OAuth misconfiguration escalated to pre authentication account takeover without Burpsuite or any other tool. First of all thanks to Midhun S for giving this wonderful site for testing and supports. Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. The steps below will guide you through the necessary process of fixing this vulnerability in your application. By doing so, it is possible to remove the attackers persistence.Read More. dont be random and try to understand what is happening not just reading a lot of write-ups and do as same as the write-ups says. Because the server name in the changed URL is the same as the original sites, phishing efforts may look more trustworthy. In most cases, the payload of a JWT is encoded as a JSON object and is easily readable or modifiable by anyone with access to the token. Sometimes they need to complete the development in a short time, so they have not checked for security in deep, and sometimes, the developer doesnt know much about security vulnerabilities. Any OAuth 2.0 misconfiguration leads to an account takeover. You can see that, there is two methods to login and register the account.So here i already created account with victim mail,when the victim login this account using continue with google , the email verification bypassed. Register endpoint: https://target-website.com/register# 2. When i started bug bounty i dont really spend much time on Reconnaissance but later i realized the importance of reconnaissance.
Enegitech Impact Wrench,
Solis Charge Battery From Grid,
Articles O