In this blog, I am going to explain how OAuth 2.0 works and what vulnerabilities can be raised if it is implemented incorrectly.
INTRODUCTION:
Hi my name is Hashar Mujahid. I’m a cybersecurity learner and today I will explain what and how OAuth 2.0 works and can be exploited.
WHAT IS OAUTH 2.0?
OAuth 2.0 (Open Authorization) is a protocol that allows a website or application to access resources hosted by other web apps on a user’s behalf. The old implementation of OAuth was 1.0. OAuth provides restricted access to the application of the user’s resources to operate.
OAuth 2.0 IMPLEMENTATIONS :
Whenever you visit a web application you will see a button on the signup page to signup with google, Facebook, and GitHub This provides the application with the ability to access some resources like your username, email, and necessary information to automatically complete the signup process.
HOW DOES IT WORK?
We have all heard about API keys. OAuth also uses similar access tokens. These access tokens validate the user’s identity and interact with the resource server to fetch the needed data. In simple terms,
Access tokens are used by applications to make API requests on behalf of users.
There is another token named as a refresh token. Its purpose is to retrieve a new access token from the resource server. It is mostly sent together with the old access token and retrieves a new one.
INFORMATION FLOW DURING OAUTH 2.0?
This process is not as tricky as it looks to understand this process we must first understand the roles or participants in this whole process.
Step 1:
The first request is made by the client application (the website where you want to sign on with OAuth functionality) requests an authorization request to access service resources from the resource owner (the user who authorizes an application to access their account). If a user allows this authorization request an authorization grant is given to the client application.
Step 2:
The Client application then sends a request to the Authorization server (the authorization server validates the user’s identification before issuing access tokens to the application) with proof of its own identity and the authorization grant issued by the user. The Authorization server then validates the application identity and the authorization grant given by the user and issues an access token.
Step 3:
Now the client application has an access token by which it can interact with the resources server’s API (the resource server is where the secured user accounts are kept) and request the limited data of the user and complete the signup process.
Easy Wasn’t it? ;-)
We now have a brief understanding Now we can see how to exploit the OAUTH 2.0 and how those vulnerabilities arrises.
HOW DO OAUTH2.0 AUTHENTICATION VULNERABILITIES ARISE?
OAuth authentication flaws occur partly because the OAuth specification is intentionally ambiguous and flexible. While some components are essential for the fundamental operation of each grant type, the great rest of the implementation is entirely optional.
This includes several configuration options that are required to keep users’ data safe. In short, there’s lots of room for misconduct to step in.
Another significant concern with OAuth is the overall absence of built-in security mechanisms.
The security is almost completely dependent on developers utilizing the proper configuration parameters and adding their own extra security mechanisms on top, such as strong input validation. As you’ve already guessed, there’s a lot to remember, and it’s simple to get it wrong if you’re unfamiliar with OAuth.
EXPLOITATION:
There are many ways to exploit the OAUTH 2.0 standard but today we are going to only see one. I will explain more methods in upcoming parts of this series.
Lab: Authentication bypass via OAuth implicit flow
OBJECTIVE:
This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users’ accounts without knowing their password.
To solve the lab, log in to Carlos’s account. His email address is [email protected]
.
You can log in with your own social media account using the following credentials: wiener:peter
.
Solution:
Let's access the lab we can see we have the login option. When we click on the login we can see we are redirected to login with your social media account.
We can see the client application wants to access these two pieces of information to complete the login.
We can see how the access token is passed to approve my login.
We just need to change the email address and the user name to the Carlos's email and username and send the request
The application does not check for the access token if it belongs to Carlos unless it is not a valid one and generates a session for carlos.
Now copy this session and change the value of the current session to this one.
Reload the page.
Our Lab is solved.
I will post more labs and challenges in the upcoming days if you want to get notified consider following me ❤.
Till The Next Time! Happy Learning❤
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!