oauth misconfiguration to account takeover

You can access victims accounts through a password you set in the attacker phase. TOKEN STEALING : Main Goal : >Steal access token of the application and use it to login. I created an account using victim mail and didnt completed the email confirmation and logged into redbull account.so,here there was an confirmation email send to the registered email address(victim mail).So,the vulnerability here is bypassing the email verification. There's a limitation that requires a validated email before going through the oauth flow, however this is bypassable. Oauth Misconfiguration lead to complete account takeover Hello guys. Further, by ensuring that the social logins are correctly implemented, the email extracted from the social login is verified against the existing users database to ensure that the victim asked to reset the password. Contact us to find out how Securelayer7 can help with testing your JWT tokens. The claims in a JWT are contained in the payload and are a set of name-value pairs that convey information about an entity, such as the user or system. AWS bucket misconfiguration. and after pressing accept the SDK is loading and the flaw start. https://example/oauthCallBack?code={code}&cid={id, https://javascript.info/cross-window-communication, https://vinothkumar.me/20000-facebook-dom-xss/, https://opnsec.com/2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/, https://portswigger.net/web-security/oauth. P2 Vulnerability -Account takeover using OAuth Misconfiguration This article has helped you understand OAuth Vulnerabilities. Victim end, victim receiving email notification for account verification or something from thehttps://cal.com/ and victim checking it out. *. OAuth 2.0 is widely used by applications (such as SaaS platforms) to access data that is already available on the Internet. which is victim account on https://www.redacted.com/ go to the setting page where you can link the social account. The cookie is used to store the user consent for the cookies in the category "Performance". It verifies a users identity to the website that requested it without giving passwords to the website. Both the header and payload in a JSON Web Token (JWT) are JSON objects that contain information about the token. This is a write-up of a chain of vulnerabilities (OAuth Misconfiguration, CSRF, XSS, and Weak CSP) that allowed me to take over a user account using a single interaction. Which shows attacker end attacker can login through the victim email address and password, victim end victim can login through the Google Oauth SSO. Vulnerability in OAuth flow leads to takeover of victim account . By referring users to a malicious site, this vulnerability might be leveraged as part of a phishing scheme. Implement the following to mitigate or fix the vulnerability: The blog addresses the essential issue with OAuth 2.0 misconfiguration: the general need for built-in security features. Thus, the victim is not required to set a password. ZOFixer.com is a platform for security professionals, system administrators, and other IT professionals looking to validate the security of websites and infrastructure. *. An attacker can take over the victims account and compromise the system. Now you have access to the victims account through email id and password you set. This is the value from the redirectUrl parameter shown earlier in the initial request. The link for the video is provided below for your review: https://drive.google.com/file/d/15rHB1CNK1AvmtCL6eS7wXEA98wzEuql9/view?usp=sharing. Let's call it - https . Response Manipulation to Account Takeover | by Swapmaurya | Medium . Thanks to Jackson kv for awesome discovery and put it into nice blog post. and as u can see, no csrf token, In this case if the application fails to use the csrf token , an attacker could potentially hijack a victim user's account on the client application by binding it to their own social media account. OAuth to Account takeover - HackTricks Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim's Email. After plenty of duplicates, not applicable in bug hunting platforms, I decided to hunt on RVDP programs where there will be less competition. Hence systems and organizations are safe. OAuth 2.0 is widely used by applications (e.g. *. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5ci. This means users can fine-tune which data they want to share rather than having to hand over full. Dont use common secrets in case of using HS256 signing algorithms. Ensure to test all possible test cases for JSON Web Token misconfiguration, such as Lack of encryption, weak secret key, lack of expiration, lack of validation, lack of rate limiting, Lack of input validation, and lack of proper error handling before implementing the JWTs to avoid vulnerabilities towards these attacks. GET /auth/facebook/callback?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1. The security is almost entirely dependent on developers using the proper configuration settings and trying to implement additional safeguards, such as a robust authentication mechanism. I got a thorough understanding and behavior of Webapps through Reconnaissance and some low hanging bugs. In short, OAuth is a one-click process where all the end users and security researchers sign up easily. Leave a clap and follow for more updates. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); Account Takeover and Persistence due to the Oauth Misconfiguration. This process involves using a cryptographic algorithm to create a hash of the header and payload, which is then encrypted using the secret key. Oauth Misconfiguration lead to complete account takeover The initial request was Now open poc.html page in the browser and click on submit button, Facebook account is successfully linked with victim account on https://www.redacted.com, Logout from the application and try to login from your social account, Successfully logged into the victim account of. 2023, ZOFixer. The page then redirected me to - https://app.victim.com/dashboard using window.location.replace. This is a write-up of a chain of vulnerabilities (OAuth Misconfiguration, CSRF, XSS, and Weak CSP) that allowed me to take over a user account using a single interaction. This cookie is set by GDPR Cookie Consent plugin. See how I found an OAuth misconfiguration escalated to pre authentication account takeover without Burpsuite or any other tool. It does not store any personal data. Viewing my Profile Page, the Social Account is not there, So I started to do some analysis to understand what is going on, First thing I do in my debugging process is logging all the communications between the windows using simple extension,you can install this Chrome Extension and My console is full with data, after some filtering i found this flaw, First when i click the link button there is a postmsg with click event sent. These tokens were being stored in the browser's Session Storage using JavaScript as shown below -. There are two different ways to perform this attack. Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. Avoid using redirects and forwards based on user-provided input. Click on the attack, choose none Signature Algorithm, and send the token to the server. But it is not actually computing signature and validating that. JSON Web Token Misconfiguration Leads to Account Takeover - Penetration Testing and CyberSecurity Solution - SecureLayer7 JSON Web Token Misconfiguration Leads to Account Takeover January 3, 2023 JSON Web Tokens ( JWT s) are a standard for representing claims securely between two parties. For example https://www.readcted.com/ is the application. Security Engineer | CTF Player at TamilCTF. Use Burp Suite, an all-in-one tool for penetration testing. How to bypass : You can see that, there is two methods to login and register the account.So here i already created account with victim mail,when the victim login this account using continue. Contact us to find out how Securelayer7 can help with testing Oauth 2.0 misconfigurations. It should be noted that JSON Web Token misconfiguration leads to account takeover. Try to create new account by using the victim email address. This may lead to OAuth token stealing if the token is returned along with the callback request. While Doing some research on thehttps://cal.com/, I was able to find a Pre-Account Takeover vulnerability. If the application does not require email verification on account creation, try creating an account with a victims email address and the attackers password before the victim has registered. JWTs are used for a variety of purposes, including authentication and authorization. When an Attacker uses his own credentials and logs in he will intercept the Login Request and do intercept the response to the Login Request and edit the session and oauth_token value with the. Now change that to the victims username, like an administrator. It can also potentially affect end users who rely on the security provided by JWT in their interactions with an affected organization or system. OAuth Misconfiguration Leads to Full Account takeover By clicking Accept All, you consent to the use of ALL the cookies. OAuth authentication vulnerabilities arise partly because the OAuth specification is relatively vague and flexible by design. Implement JSON Web Token properly so the server cannot accept the JWT with no algorithm. After so many months, I am back with a writeup for an interesting vulnerability i found in RedBull two days ago,but it was duplicate. An attacker can exploit this misconfiguration to generate or forge the Modifies Access token, which can lead to an Account takeover of any user by manipulating the token. OAuth Misconfiguration Leads to Pre Account Takeover . GET /v3.1/dialog/oauth?response_type=code&redirect_uri=https%3A%2F%2Fredacted.com%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cpublic_profile&client_id=00000000000 HTTP/1.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://redacted.com/profileCookie: fr=0rqajcCy4gEh2nJvS.redactedPv2OYVcelE.AWVp7-tG; sb=OQwFXNTRCDFUcookieLIw0; datr=OQwFXBW2scookieSe4q; wd=1366XXXXX657; locale=en_GB; c_uConnection: close. An attacker gives himself high privileges on the system or an application that is not given to regular users, like admin privileges. when I saw this request I felt something interesting here because there is no state parameter, which means some time it may be vulnerable to csrf attack. You change the payload like here, the sub is the username. Both the header and payload are encoded as base64 strings and are separated by a period (.) I reported bugs and got some thanks mail and few hall of fame for securing the application. *. Thank you all for reading and I hope you find it useful. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc. Please enable JavaScript in your browser to use all the features on this site. SecurityExplained/account-takeovers-methodology.md at main - GitHub Misconfigurations in JWT tokens are a common problem. This may lead to OAuth token stealing if the token is returned along with the callback request. I found that the example.com had a Sign-up method by using. this is my first blog based on security vulnerability that identified during the exam study leave.. . Just a Click , All the customers and products gets deleted!. There will be an option for linking the radacted.com account to Facebook or Google.This will make it easy to login into the redacted account by using Oauth functionality. *. Its me Jackson. An attacker can successfully conduct a phishing scheme and steal user credentials by changing untrusted URL input to a malicious site. Thats the issue and it shows the Account Takeover. *. . They are often used in modern web applications to transmit information between the client and the server securely. Now i just open the the html page on a new tab and clicked the submit button.Yes!I got it. Lets start with aquatone -subdomain enumeration tool, so after running that tool I got some sub-domains,ran some tools like Lazyrecon, eyewitness, nmap, dirsearch, Advanced google dorks, wappalyzer ,some scripts and tools so now we got a target website. Depending on the servers logic, there are several techniques to bypass a redirect_url. The connect-src Content Security Policy (CSP) directive guards the several browsers mechanisms that can fetch HTTP Requests. If the victim has admin-level privileges, it leads to sensitive information disclosure in the organization. The signature is directly derived from the header and payload of the JWT, and any change to a single byte of the header or payload will result in a mismatched signature. This includes, for example, your Google contacts list, your Facebook friend list, and so on. In attacker end attacker has victim email id and password to login on the https://cal.com/. ZOFixer.comsecurity scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website andactivating the 30-day trial. These claims can include things like the users identity, the expiration time of the token, and any other relevant information. Learn how your comment data is processed. Lets look at the website https://www.redacted.com, so the website looks like a normal site,nothing interesting in homepage so I go to the Signup page and got a page like shown below. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); This site uses Akismet to reduce spam. I was successfully authenticated to Facebook, then i intercept the callback from Facebook.when i saw the callback, i wonderedthere is no state parameter which means there is no protection from a csrf attack, so lets exploit that. You can see that, there is two methods to login and register the account.So here i already created account with victim mail,when the victim login this account using continue with google , the email verification bypassed. Dont report the bug if you didnt tried your best. ZOFixer.com is a platform for security professionals, system administrators, and other IT professionals. *. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive. While I was testing this target I wanted to test the OAuth flaw since it has a lot of misconfigurations that developers dont recognize,So I found that the target allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth. https://security.love/CSRF-PoC-Genorator/. Force all redirects to first go through a page notifying the user that they are going off of your site, and have them click a link to confirm. *. If you were ever asked by web or mobile application to give permissions to access your personal data, you have probably used OAuth 2.0. Most security vulnerabilities arise due to incorrect implementation by the developer. I created an account using my temporary mail and completed the email confirmation and logged into my account. Your email address will not be published. Implementing a Backup Strategy for SOC 2 Type II Compliance: A Step-by-Step Guide, JSON Web Token Misconfiguration Leads to Account Takeover. *. The cookies is used to store the user consent for the cookies in the category "Necessary". For example, https://example.com is an application that has register and login functionality. Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. so the impact is it does not authenticate the real user attackers can easily take over the account. 1. One major similarity between the header and payload is that they both contain information that is used to validate the authenticity and integrity of the token. This is a pre-account takeover where an attacker will have access to the victims account if they created it prior to the victim registering. OAuth 2.0 is the industry-standard authorization protocol. This includes the algorithm used to sign the token and any relevant signature or secret keys. Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. The thing that troubled me was the data ex-filtration because the connect-src directive only allowed certain domains to make connections to.In simple terms, this means I can't randomly make requests to my own server to receive the tokens. If no validation is used, a malicious user may build a hyperlink that would take your users to an unvalidated harmful website, such as: The user sees the link going to the original trusted site (example.com) and is unaware of the possible redirection. Whenever an OAuth authentication is being used, the first thought crossing the mind of an attacker is to check if the application validates the value of redirectUrl. 3. Victim Account Take Over. so I guess that this what is solving the problem. So it seems that before the Linking Action is taken there is something needs to load first, First thing got into my mind is why the link is not working, so when i opened the link that i dropped above I noticed an error in the console, So lets trace it, this video by STK will help you a lot, opening the callback resolver I found that the issue was in this line, so lets put some break points to see why, as u can see the problem is that the settingsService.qsParams is undefined, so we cannot continue and the process stops. If the victim has admin-level privileges, it leads to sensitive information disclosure of an organization or gets access to some critical infrastructure of the organization. Admin panel takeover. After registering and logging in, the server will assign a Session Token in JSON Web Token Format. *. The OAuth 2.0 protocol involves several parties: - The user, - The resource owner (which may be the user or an organization) - The client (the third-party application) - The authorization server (which issues access tokens). OAuth 2.0 is an authorization protocol and NOT an authentication protocol. The payload contains the actual claims or data being transmitted within the token. The JWT vulnerability is present in many platforms and applications, including your company. *. Then, victim can try to login through the Google Oauth SSO, what happens here victim can directly land on the dashboard by using the SSO. a. Protecting your online security is our top priority. So when the server receives the token, it can verify the tokens signature based on the kid parameter to map and verify it with the correct key. These cookies track visitors across websites and collect information to provide customized ads. You can exploit JSON Web Token misconfiguration with a None signature algorithm attack. P2 Vulnerability -Account takeover using OAuth Misconfiguration, Vulnerability Category: A6- Security Misconfiguration. Integrating third party OAuth providers are often left misconfigured by developers which may lead to a bigger security impact such as account takeover. Microweber CMS 1.2.15 - Account Takeover - PHP webapps Exploit OAuth Misconfiguration | Working of OAuth | Types of - Medium It allows them to easily grant access to their users to particular resources as per the application's requirements. Lets check who does it affect? When used in a JWS structure, the claims can be digitally signed or integrity protected with a Message Authentication Code (MAC). OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization associated with other users' accounts. Check for standard cryptographic methods in use c. Try to identify if any known token generation library is used by the application. First, clearly verify the Email OTP or link, then give the access to the dashboard. In some cases, the server may also encrypt the resulting hash to add an additional layer of security. In most cases, the payload of a JWT is encoded as a JSON object and is easily readable or modifiable by anyone with access to the token. There are two different ways to perform this attack If the application does not require email verification on account creation, try creating an account with a victim's email address and the attacker's password before the victim has registered. For bugs related to the Pocket API and getpocket.com website, OAuth Misconfiguration Leads to Pre Account Takeover, after signing up or creating an account log out. You can use the JWT editor Burp Suite extension. [Case Study] OAuth Misconfiguration leads to Account Takeover Now there will be a Facebook page popup for authentication. 4. I started looking for bugs in OAuth implementation and quickly found that the state parameter was missing. *. OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps OAuth Misconfiguration - Findings 1. The header in JWT will define which algorithm is used while signing the token. Check for the Token Randomness b. Your email address will not be published. Use the JWT editor to inspect and modify the header. Enable the issuing server to revoke the tokens on log out and after a particular amount of time. nothing, I was like What?! Register to the application using email account and complete all the registration process, Observe if the application supports OAuth functionality service providers like Facebook and Google which you can link your social accounts to the application https://www.redacted.com/, Intercept the application using Burpsuite and Now click on Facebook icon for linking of social account to the account in https://www.redacted.com/, Observer the request and lookout for whether state parameter is implemented or not, If state parameter is not there which means it is vulnerable to CSRF attack, Once you successfully authenticated then intercept the callback request from Facebook looks like below, Generate a CSRF poc on this page and save it as poc.html. The header typically contains information about the algorithm used to sign the token and the type of token it is (e.g., JWT). Here's how that would have looked -. Feb 13, 2021 -- 2 Hi Every one, My name is Yasser (AKA Neroli in CTF's) and I wanted to share this Finding with you :) Since its a private program on Bugcrowd i will call it example.com Let's start Let's call it - https://victim.com. If youve ever been asked to grant access to your personal data by a web or mobile application, youve most likely used OAuth 2.0. The cryptographic signature is created by signing the JWT with a secret key or by using a public/private key pair. So I modified my payload to close the existing script tag to check if injecting scripts is possible or not. Since, Attacker and victim end same account was used on.