so lets try to create iframe and send some data I read this article which is super useful to understand how to do it but the problem is I couldnt know how to send this custom event. Since, Attacker and victim end same account was used on. Lets start with aquatone -subdomain enumeration tool, so after running that tool I got some sub-domains,ran some tools like Lazyrecon, eyewitness, nmap, dirsearch, Advanced google dorks, wappalyzer ,some scripts and tools so now we got a target website. Nov 26, 2020 2 Hello guys, Today I am going to share one of my interesting findings on the private. We are committed to ensuring the highest level of cybersecurity for our website visitors, so you can browse and shop with peace of mind. If the victim has admin-level privileges, it leads to sensitive information disclosure in the organization. After some time I started to hunt for websites randomly, like we use some web applications in our day-to-day life. This can usually be done. ## Proof of concept: *. Admin panel publicly accessible. If an OAuth app does not require email verification , try signing up with that OAuth app with a victim's email address . Click on the attack, choose none Signature Algorithm, and send the token to the server. When i started bug bounty i dont really spend much time on Reconnaissance but later i realized the importance of reconnaissance. First, clearly verify the Email OTP or link, then give the access to the dashboard. Description: OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization associated with other users' accounts. Critically Sensitive Data - Password Disclosure. I reported the bugs to them, but as we all know, there is no response from many companies Struggle Bug Hunters Face. Thank you all for reading and I hope you find it useful. *. I was able to do and reported the same to example.com. 5 Ways to do Account Takeover in a Single Website After plenty of duplicates, not applicable in bug hunting platforms, I decided to hunt on RVDP programs where there will be less competition. Please enable JavaScript in your browser to use all the features on this site. OAuth authentication vulnerabilities arise partly because the OAuth specification is relatively vague and flexible by design. JSON Web Token Misconfiguration Leads to Account Takeover. and after pressing accept the SDK is loading and the flaw start. Vulnerability Description: OAuth 2.0 is an authorization framework for Web Application. For example https://www.readcted.com/ is the application. I quickly fired burp and entered 1000 payloads to see if there was any rate limiting and if OTP could be brute forced. Thanks to Jackson kv for awesome discovery and put it into nice blog post. A flaw in the OAuth flow allows for the takeover of the victim's account. 2. In most cases, the payload of a JWT is encoded as a JSON object and is easily readable or modifiable by anyone with access to the token. When used in a JWS structure, the claims can be digitally signed or integrity protected with a Message Authentication Code (MAC). But wait, there's more. The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. 5. Just a Click , All the customers and products gets deleted!. OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. Viewing my Profile Page, the Social Account is not there, So I started to do some analysis to understand what is going on, First thing I do in my debugging process is logging all the communications between the windows using simple extension,you can install this Chrome Extension and My console is full with data, after some filtering i found this flaw, First when i click the link button there is a postmsg with click event sent. *. nothing, I was like What?! Even though I was not able to get tokens by manipulating the redirectUrl, an attack could have still been possible if somehow the parameter was vulnerable to an XSS allowing me to directly read the tokens either from the source or from the session storage. Contact us to find out how Securelayer7 can help with testing your JWT tokens. This cookie is set by GDPR Cookie Consent plugin. The payload in the JWT is data transferred to the server or used as user identification. P2 Vulnerability -Account takeover using OAuth Misconfiguration OAuth 2.0 is an authorization protocol and NOT an authentication protocol. Register endpoint: https://target-website.com/register# 2. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); This site uses Akismet to reduce spam. OAuth Account Takeover | Pentest Vulnerability Wiki - Cobalt Victim Account Take Over. Depending on the servers logic, there are several techniques to bypass a redirect_url.

. Here Ramalingasamy M K(Security Researcher). First thing i opened burp and started to log the requests and just start clicking on buttons, and after linking my profile I started looking at the request history I found the callback request. GET /auth/facebook/callback?code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1. Now there will be a Facebook page popup for authentication. You can use the JWT editor Burp Suite extension. After installing Burp Suite, you need to install an extension called JWT Editor. Oauth Misconfiguration lead to complete account takeover Hello guys. This is because the secret key encrypts the signature, and only the server that issued the JWT knows the secret key. OAuth Flaw in Expo Platform Affects Hundreds of Third-Party Sites, Apps I reported bugs and got some thanks mail and few hall of fame for securing the application. Unvalidated redirects and forwards are conceivable when a web application takes untrusted input, which may lead the web application to redirect the request to a URL included inside the untrusted input, according to OWASP. OAuth 2.0 is widely used by applications (e.g. It contains other information like a kid and a UUID value; it is used when the server has more than one key to sign the token. There are many methods available to perform OAuth attack. when I saw this request I felt something interesting here because there is no state parameter, which means some time it may be vulnerable to csrf attack. This cookie is set by GDPR Cookie Consent plugin. SecurityExplained/account-takeovers-methodology.md at main - GitHub *. Learn how your comment data is processed. Its me Jackson. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Overall, the header and payload in a JWT work together to provide a secure and compact way to transmit information between parties. If the victim has admin-level privileges, it leads to sensitive information disclosure of an organization or gets access to some critical infrastructure of the organization. OAuth Misconfiguration - Findings It is important to note that vulnerabilities can arise on both the client application and the OAuth service. Now you have access to the victims account through email id and password you set. OAuth to Account takeover - HackTricks So it seems that before the Linking Action is taken there is something needs to load first, First thing got into my mind is why the link is not working, so when i opened the link that i dropped above I noticed an error in the console, So lets trace it, this video by STK will help you a lot, opening the callback resolver I found that the issue was in this line, so lets put some break points to see why, as u can see the problem is that the settingsService.qsParams is undefined, so we cannot continue and the process stops. luckily the triager took so long to triage it and told me why would someone click on the button and also he faced a problem with his browser that made him unable to reproduce the issue and closed it as NotReproducible I was so mad since it was valid bug but.. Use the Up-to-date library for handling JSON Web Token tokens. Whenever an OAuth authentication is being used, the first thought crossing the mind of an attacker is to check if the application validates the value of redirect_url. My Name Is Yasser and I am a CTF player and Competitive programmer, I Love to build things then break into it. Enable the issuing server to revoke the tokens on log out and after a particular amount of time. This post is taken from his article. OAuth 2.0 is the industry-standard authorization protocol. OAuth, which stands for Open Authorization Framework, is the industry-standard authorization delegation protocol. This includes, for example, your Google contacts list, your Facebook friend list, and so on. which is victim account on https://www.redacted.com/ go to the setting page where you can link the social account. GET /v3.1/dialog/oauth?response_type=code&redirect_uri=https%3A%2F%2Fredacted.com%2Fauth%2Ffacebook%2Fcallback&scope=email%2Cpublic_profile&client_id=00000000000 HTTP/1.1Host: www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://redacted.com/profileCookie: fr=0rqajcCy4gEh2nJvS.redactedPv2OYVcelE.AWVp7-tG; sb=OQwFXNTRCDFUcookieLIw0; datr=OQwFXBW2scookieSe4q; wd=1366XXXXX657; locale=en_GB; c_uConnection: close.