Forced OAuth profile linking

Description

This lab gives you the option to attach a social media profile to your account so that you can log in via OAuth instead of using the normal username and password. Due to the insecure implementation of the OAuth flow by the client application, an attacker can manipulate this functionality to obtain access to other users’ accounts.

Reproduction and proof of concept

  1. While proxying traffic through Burp, click My account. You are taken to a normal login page, but notice that there is an option to log in using your social media profile instead. For now, just log in to the blog website directly using the classic login form (wiener:peter).

  2. Notice that you have the option to attach your social media profile to your existing account.

  3. Click Attach a social profile. You are redirected to the social media website, where you should log in using your social media credentials (Social media profile: peter.wiener:hotdog) to complete the OAuth flow. Afterwards, you will be redirected back to the blog website.

  4. Log out and then click My account to go back to the login page. This time, choose the Log in with social media option. You are logged in instantly via your newly linked social media account.

  5. In the proxy history, study the series of requests for attaching a social profile. In the GET /auth?client_id[...] request, observe that the redirect_uri for this functionality sends the authorisation code to /oauth-linking. Importantly, notice that the request does not include a state parameter to protect against CSRF attacks.

  6. Turn on proxy interception and select the Attach a social profile option again.

  7. Go to Burp Proxy and forward any requests until you have intercepted the one for GET /oauth-linking?code=[...]. Right-click on this request and select Copy URL.

https://0acc00800434bb1ec2185295009d00d1.web-security-academy.net/oauth-linking?code=QIKelR_bOjRU_S54zZKLI7Lmf3wWMVMzp9JWicrlkps
  1. Drop the request. This is important to ensure that the code is not used and, therefore, remains valid.

  2. Turn off proxy interception and log out of the blog website.

  3. Go to the exploit server and create an iframe in which the src attribute points to the URL you just copied. The result should look something like this:

<iframe src="https://0acc00800434bb1ec2185295009d00d1.web-security-academy.net/oauth-linking?code=QIKelR_bOjRU_S54zZKLI7Lmf3wWMVMzp9JWicrlkps"></iframe>
  1. Deliver the exploit to the victim. When their browser loads the iframe, it will complete the OAuth flow using the social media profile, attaching it to the admin account on the blog website.

  2. Go back to the blog website and select the Log in with social media option again. Observe that you are instantly logged in as the admin user. Go to the admin panel and delete Carlos.

Exploitability

An attacker will need to log in; and then use a CSRF attack to attach their own social media profile to the admin user’s account on the blog website, then access the admin panel and delete Carlos.

The admin user will open anything sent from the exploit server, and always has an active session on the blog website.