This is an exercise that exploits the scope upgrade vulnerability. The goal is to upgrade the scope from the original.
$ git clone https://github.com/melonattacker/oauth-exploit-lab.git
$ cd oauth-exploit-lab/exercise/ex7
$ docker-compose up -d
| target | URL |
|---|---|
| client | http://localhost:10000 |
| username | password |
|---|---|
| bob(attacker) | hoge |
Looking at line 193 of authorizationServer/app.py, you can see that the scope can be respecified when refreshing a token.
scope: str = None
if request.form.get('scope') != None:
scope = request.form.get('scope')
else:
scope = res[0]['scope']Client receives scope from request parameter and sends it to authorization server.
payload = {
'grant_type': 'refresh_token',
'refresh_token': refresh_token,
'redirect_uri': client['redirect_uris'][0],
'scope': request.args.get('scope')
}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic ' + encode_client_credentials(client['client_id'], client['client_secret'])
}
...
res = requests.post(auth_server['token_endpoint'], data=payload, headers=headers, cookies={'session': request.cookies.get('session')})This makes it vulnerable to score upgrade vulnerability. To exploit this, an attacker respecifies scope when token is refreshed.
First login as bob(attacker), and click Get OAuth Token button. And add the scope query parameter(hoge%20huga%20piyo) to /refresh GET request.
Scope is upgraded from hoge,huga to hoge,huga,piyo.
