Hello Amazing People,
My name is Manan Patel, I’m a Security Researcher from India(Gujarat). In this article, I’ll be sharing about OAuth 2.0 Vulnerability. So without further ado let’s get started and Hack some shit!!
What is OAuth 2.0?
Applications like Facebook, GitHub, and DigitalOcean can have restricted access to user accounts on an HTTP service thanks to the OAuth 2 authorization protocol. It functions by granting permission for third-party applications to access the user account and delegating user authentication to the service that hosts the user account. OAuth 2 offers authorization flows for mobile devices, desktop apps, and web applications.
Uses of OAuth 2.0
- OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives or used for importing resources such as contacts/images etc.
- This OAuth 2.0 flow is specifically for user authorization. It is designed for applications that can store confidential information and maintain state. A properly authorized web server application can access an API while the user interacts with the application or after the user has left the application.
Entities involved in OAuth 2.0
- Resource Owner: The person who grants permission for an application to access a resource is known as the resource owner. The amount of access the application has to the user’s account is determined by the level of permission it has been given (e.g. read or write access)
- Client: The programme requesting access to a user’s account is referred to as a client. It must first receive authorization from the user, and the API must verify that authorization before it can act.
- Resource Server: The protected user accounts are stored on the resource server.
- Authorization Server: After confirming the user’s identity, the authorization server grants access tokens to the application.
Types of OAuth 2.0 Flows
- Authorization Code Grant
- Implicit Grant
- Resource Owner Credentials Grant
- Client Credentials Grant
The most common ones are Authorization Code Grant and Implicit Grant. So that’s what we are gonna focus on in this article.
Authorization Code Grant Flow
The authorization code grant is used when an application request for an authorization code and then exchanges for an access token, which gives him the access to the user’s account details
So lets see the flow of this process for our better understanding.
I’ll be using CodeCademy as the application or the client and assumes as the user sign-in through Facebook.
- when the user clicks on the sign-in with Facebook button he is redirected to Facebook’s authorization server with following link:
- Now we have the Client _Id which is the public identifier for CodeCademy
- we have the redirect_uri with CodeCademy’s url where the user will be taken after he signs-in.
- we have the response_type which is code which means that CodeCademy needs an authorization code from Facebook
- we have the scope which defines the resources which CodeCademy needs permission for and here CodeCademy needs the name, profile_picture and email address of the user from his Facebook account
- we have State parameter which is optional but it contains the CSRF token.
- The user then sign-in into the Facebook and approves CodeCademy to access his information.
- Once Facebook receives the user’s approval it will send authorization code to CodeCademy. They uses that code and request an access token from Facebook’s authorization server.
- Facebook verifies the received code and sends an access token to CodeCademy. They uses that access token and sends it to Facebook’s resource server in exchange for the user’s details.
Implicit Grant Flow
In this case instead of receiving an authorization code then exchanging it for an access token the application directly receives an access token.
So lets see the flow of this process for our better understanding.
I’ll be using Quora as the application or the client and assumes as the user sign-in through Facebook.
- when the user clicks on the sign-in with Facebook button he is redirected to Facebook’s authorization server with following link:
Now this link has lot more parameters because Quora uses Facebook’s SDK. So ignore the extra ones as rest of the parameters are pretty same.
Only difference is we have the response_type as token instead of code
- The user then sign-in into the Facebook and approves Quora to access his information.
- Once Facebook receives the user’s approval it will send access token to Quora.
- They uses that access token and retrieves the account details from Facebook’s resource server.
- Labs 🙂
So now that we are done with how OAuth 2.0 works. Let’s look at some real life bugs to practice. As i have mentioned in my previous article, PortSwigger has some awesome free labs to practice with detailed explanation.
The Labs you need to practice are(beginners):
Lab: Authentication bypass via OAuth implicit flow
Lab: Forced OAuth profile linking
Lab: OAuth account hijacking via redirect_uri
Lab: Stealing OAuth access tokens via an open redirect
So that’s it for this article!! If you found this helpful, Do let me know on Twitter and LinkedIn.
I hope you enjoyed the article. Let’s Learn, Earn & Grow together with Infosec Community.
Give a Follow If you want more such content —
Twitter: https://twitter.com/0xManan
Header Image From: Naked Security Sophos.