⭕HTML Injection and stealing tokens via referer header.
• Check referer header in the requests for sensitive info
🧵:👇
⭕Access Token Stored in Browser History
• Check browser history for sensitive info.
⭕Improper handling of state parameter
• Check lack of state parameter and is in url params and is passed to all the flow
• Verifying State entropy
Continue 🧵:👇
• Verifying State entropy
• Check state is not reused
• Remove state and URI and check request is invalid
⭕ Access Token Stored in JavaScript
⭕ Lack of verification
• If not email verification is needed in account creation, register before the victim.
Continue 🧵:👇
• If not email verification in Oauth signing, register other app before the victim
⭕ Access token passed in request body
• If access token is passed in the request body at the time of allocating the access token to the web application there arises an attack scenario.
🧵:👇
• An attacker can create a web application and register for an Oauth framework with a provider such as twitter or facebook. The attacker uses it as a malicious app for gaining access tokens.
More Points🧵:👇
• For example, a Hacker can build his own facebook app and get victim’s facebook access token and use that access token to login into victim account.
⭕Reusability of an Oauth access token
See Point :👇
• Replace the new Oauth access token with the old one and continue to the application. This should not be the case and is considered as a very bad practice.
Thanks You So Much For reading this Amazing Thread On OAuth 2.0 Explained ! 📌v2
• YourWeb tried integrate with Twitter.
• YourWeb request to Twitter if you authorize.
• Prompt with a consent.
• Once accepted Twitter send request redirect_uri with code and state.
• YourWeb take code and it's own client_id and client_secret and ask server for access_token.
• YourWeb call Twitter API with access_token.
1. Create two accounts if possible or else enumerate users first. 2. Check if the endpoint is private or public and does it contains any kind of id param. 3. Try changing the param value to some other user and see if does anything to their account.
🧵(2/n) :👇
➡ Testcase 1: Add IDs to requests that don’t have them
GET /api/MyPictureList → /api/MyPictureList?user_id=<other_user_id>
Pro tip: You can find parameter names to try by deleting or editing other objects and seeing the parameter names used.