Cheatsheet : Open Authentication - oAuth

Hey guys! I hope you all doing well, So today we're going to discuss about oAuth and its bad implantation :)



- What is oAuth ?

- IOAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

Visit https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 (a must read) and learn oauth working before starting testing in it :) 


What're the common bugs left in oAuth implantation ?

- XSS
- Redirect URL bypass
- CSRF
- ClickJacking 


1 - XSS 


It is possible to get both reflective and stored XSS using oAuth in developers portal of your target :-)
lets discuss how it is possible, Sometimes the value for "redirect url" is filtered for http(s) links only and hence you fail to add javascript:alert(10) in redirect url but this can be bypassed if it is not properly validating .

Payload : javascript://https://attacker.com/?z=%0Aalert(1)

Description :
As mention in previous post;
javascript:                        - Javascript's pseduo protocol/schema
//                                       - Begins a single line comment in js
https://google.com/?aaaa - comment itself
%0a                                  - Intiate a new line which ends the single line comment
alert(1)                             - a valid javascript's predefined function

Now this can trick the url validation and accepts this value in redirect url, now you can use

https://app.target.com/v1/oauth/authorize?response_type=code&client_id=xxxxxx-xxxxx
&redirect_uri=javascript://https://attacker.com/?z=%0Aalert(1)&scope=read write&state=kkkk

And bhoom XSS'ed after client app grant access, but wait what more malicious you can do here is stealing the access token given by Authorization Server. :)

There is another way for XSS is using, data uri
You can give a try to : data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= in redirect url value :) it may work too.

http://www.paulosyibelo.com/2016/08/instagram-stored-oauth-xss.html (His blog is awesome ;) )

2 - Redirect URL bypass

Now this one is really vast,  what if you can bypass the redirect url set by developer ? that would be awesome cause you can again steal access token ;)

http://example.com is set by developer then you can bypass it if the oauth implantation is not configured well from bypasses,
some of the good bypasses are following

Source : http://nbsriharsha.blogspot.in/2016/04/oauth-20-redirection-bypass-cheat-sheet.html
  • http://example.com%2f%2f.victim.com
  • http://example.com%5c%5c.victim.com
  • http://example.com%3F.victim.com
  • http://example.com%23.victim.com
  • http://victim.com:80%40example.com
  • http://victim.com%2eexample.com

Must read : http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html (Awesome)

Another must read : http://www.nirgoldshlager.com/2013/03/how-i-hacked-any-facebook-accountagain.html (Mind blown)

3 - CSRF 

Client app approval page where you grant access to a client app sometimes vulnerable to CSRF which can be used by attacker to force victim to approve attackers app with some dangereous scope access.

3 - ClickJacking 

Client app approval page where you grant access to a client app sometimes vulnerable to ClickJacking which can be used by attacker to trick victim to approve attackers app with some dangereous scope access. Recently my 2 bugs got validated same like this ;) 

This are just some common issues there are many issues left in oauth implantation find out them :D and make money ;) 


10 comments:

  1. Replies
    1. I'm a professional in all kinds of hacking services, which leads me into giving out a blank ATM card to all individuals & serious minded people only. I hack, clone ATM cards worth's the total sum of $500,000.00 United States Dollars, with this card you can withdraw the sum of $3500 as daily limit till you cash out the sum total said sum & this cards has been cloned & hacked in the manner that you'll never be caught not detected during usage. For more info, kindly email us: fastatmhackers@gmail.com OR Call/WhatsApp: +16626183756




      Delete
    2. Hello everyone..Welcome to my free masterclass strategy where i teach experience and inexperience traders the secret behind a successful trade.And how to be profitable in trading I will also teach you how to make a profit of $12,000 USD weekly and how to get back all your lost funds feel free to email me on(brucedavid004@gmail.com) or whataspp number is +22999290178































































      Hello everyone..Welcome to my free masterclass strategy where i teach experience and inexperience traders the secret behind a successful trade.And how to be profitable in trading I will also teach you how to make a profit of $12,000 USD weekly and how to get back all your lost funds feel free to email me on(brucedavid004@gmail.com) or whataspp number is +22999290178

      Delete
    3. Cheatsheet : Open Authentication - Oauth - Yet Another Infosec Blog >>>>> Download Now

      >>>>> Download Full

      Cheatsheet : Open Authentication - Oauth - Yet Another Infosec Blog >>>>> Download LINK

      >>>>> Download Now

      Cheatsheet : Open Authentication - Oauth - Yet Another Infosec Blog >>>>> Download Full

      >>>>> Download LINK iB

      Delete
  2. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete
  3. Our Bangalore Escorts company is precise running models and lady in Bangalore whose workplaces are hereafter very valued. They should at the overall one of the time be dealt with at this factor unfastened and excessive admire.
    Contact me 08123770473, 814734971 sita.in


    ReplyDelete
  4. كيفية تنظيف النسيج الصوفي
    عاملات تنظيف بالساعه الكويت

    تخمين اللغز. لا يمكنك وضعه في الغسالة مكافحة حشرات العدان أو أخذه إلى الغسيل ... ولكن لا يزال بإمكانك تنظيفه جيدًا! ما هذا؟
    بسيط: كنبة قماش غير قابلة للإزالة!
    مواقع اعلانات مجانية في الكويت

    كيفية إزالة البقع من الصوفا في نسيج غير قابل للإزالة
    نقل عفش صباح الاحمد

    العلاج الأكثر فعالية خدمة غسيل سيارات ٢٤ ساعه لغسل الأريكة القماشية عن طريق إزالة أي بقعة يأتي من حكمة جداتنا.
    نحن نتحدث عن صابون مرسيليا.
    مظلات حدائق الكويت

    يمكنك استخدامه بطريقتين:

    افركي الصابون مباشرة على البقعة ودعيه يعمل لبضع دقائق تركيب السبوت لايت في الجبس قبل شطفه جيدًا باستخدام إسفنجة رطبة.

    ReplyDelete

Powered by Blogger.