– What is oAuth ?
– IOAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
Visit https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 (a must read) and learn oauth working before starting testing in it 🙂
What’re the common bugs left in oAuth implantation ?
– Redirect URL bypass
1 – XSS
It is possible to get both reflective and stored XSS using oAuth in developers portal of your target 🙂
As mention in previous post;
// – Begins a single line comment in js
https://google.com/?aaaa – comment itself
%0a – Intiate a new line which ends the single line comment
Now this can trick the url validation and accepts this value in redirect url, now you can use
And bhoom XSS’ed after client app grant access, but wait what more malicious you can do here is stealing the access token given by Authorization Server. 🙂
There is another way for XSS is using, data uri
You can give a try to : data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= in redirect url value 🙂 it may work too.
http://www.paulosyibelo.com/2016/08/instagram-stored-oauth-xss.html (His blog is awesome 😉 )
2 – Redirect URL bypass
Now this one is really vast, what if you can bypass the redirect url set by developer ? that would be awesome cause you can again steal access token 😉
http://example.com is set by developer then you can bypass it if the oauth implantation is not configured well from bypasses,
some of the good bypasses are following