OAuth Vulnerabilities TryHackMe Walkthrough — SuNnY
Brief Intro To OAuth Vulnerabilities
In cybersecurity, OAuth vulnerabilities refer to security weaknesses within the OAuth authorization framework, which is used to grant third-party applications limited access to user resources without exposing credentials. When improperly implemented, OAuth can be susceptible to various attacks, such as unauthorized access, token interception, and data breaches. Understanding and mitigating these vulnerabilities is crucial to ensuring the security of OAuth-based systems.
ROOM OBJECTIVES + LEARNINGS -
- Essential concepts for OAuth 2.0 (Grant Types)
- OAuth 2.0 flow
- Identify OAuth services
- Exploitation techniques
- Evolution of OAuth 2.1
- Total Room Tasks : 10
ROOMS RECOMMENDED BEFORE PROCEEDING
DIFFICULTY
Medium Difficulty [ TryHackMe Walkthrough Room ]
Note : an active TryHackMe Premium Subscription is required for this room .
KUDOS TO THE CREATORS
Special Thanks to the Creators of this room
Let’s Start !
Grab Yourself a Hot cup of Coffee , Milkshake , Oreo Shake 😋 , Frappuccino 😃 , Orange Juice , Beetroot Juice 🤢
This Walkthrough has some miles !
Task 1
In the First task it is discussed that OAuth vulnerabilities are a serious and often overlooked risk in modern web applications, primarily involving OAuth 2.0. These vulnerabilities allow for CSRF, XSS, data leakage, and other attacks. Key learning objectives include understanding OAuth 2.0 grant types, flow, identifying OAuth services, exploitation techniques, and the evolution to OAuth 2.1.
Task 2
Question 1 : Which (optional) parameter can be used to prevent CSRF attacks?
The state parameter in OAuth is a crucial security feature used to prevent Cross-Site Request Forgery (CSRF) attacks. It is a unique value generated by the client (the application requesting authorization) and sent to the authorization server as part of the OAuth authorization request.
Task 2 — Question 1 Done !
Question 2 : What credentials can the client use to access protected resources on behalf of the resource owner?
An access token in OAuth is a credential that represents the authorization granted to a client by a user. It allows the client application to access the user’s resources (such as APIs or data) on a resource server. Access tokens are typically issued by an authorization server after the user has successfully authenticated and granted permission.
Task 2 — Question 2 Done !
Task 2 — Done !
Task 3
There is a lot of information provided in the task 3 module and it is adviced to give it a brief read before proceeding .
Question 1 : What is the grant type often used for server-server interaction?
Task 3— Done !
Task 4
This Task requires us to Start a VM
Let’s Start The Party !
Firing up the machine
After Starting the Machine we are directed to the TryHackMe’s Attacker Box in Split View —
These are the Credentials which we are going to use for futher tasks —
For Task 4 we are first asked to login to bristo.thm:8080
[ Task 4 ] Question 1 : What is the cliend_id value after initiating the OAuth 2.0 workflow?
Let’s closely examine the url of this page —
The Client ID can be found inside the url
Full URL —
http://coffee.thm:8000/accounts/login/?next=/o/authorize/%3Fclient_id%3Dzlurq9lseKqvHabNqOc2DkjChC000QJPQ0JvNoBt%26response_type%3Dcode%26redirect_uri%3Dhttp%3A//bistro.thm%3A8000/oauthdemo/callbackTask 4 — Question 1 Solved !
[ Task 4 ] Question 2: What parameter name determines the time validity of a token in the token response?
The Answer for Question 2 can be found here —
Task 4 Completed !
Task 5
Question : What is the name of the toolkit used for implementing Oauth in the URL http://coffee.thm:8000/?
Task 6
Question: What is the flag value after getting the access token?
Since we are logged in already before doing Task 6
Lets log out from the session
http://coffee.thm:8000/admin/logoutWe are returned to this page —
When the user Tom clicks on the link — http://dev.bistro.thm:8002/redirect_uri.html
He gets redirected to a new page —
After clicking on Login via OAuth , The Victim Tom gets redirected to a falsified page where he enters his credentials — victim:victim123 But then the OAuth authorization code is redirected to the attackers url — dev.bistro.thm:8002/malicious_redirect.html and then the attacker can intercept and muisuse the authorization code , The same code that we will get after Logging in to the above form —
We now have the Intercepted Authorization Code that was gathered from the victim using the attacker’s link
Intercepted Authorization code —
FZqMf62aBroTei1YscnEbHwPn9ihELFurther we will use this code with the callback function to get our flag
Let’s replace the code parameter with intercepted Authorization code we just found earlier
http://bistro.thm:8000/oauthdemo/callbackforflag/?code=FZqMf62aBroTei1YscnEbHwPn9ihELOnce the code is successfully executed we get our Flag
We solve Task 6
Task 7
I know this Room is a little challenging and can be a little overwhelming ..
You are doing great !! Keep it up 😊
Question 1 : What is the flag value after attaching the attacker’s account with the victim’s account?
As we did before , Lets logout from our previous session by
http://coffee.thm:8000/admin/logoutIf you are using your VM make sure you have mycontacts.thm and coffee.thm in your /etc/hosts and if you are using attackbox these entries are already done for you .
Let’s Head out to — mycontact.thm:8080
Let’s login using the credentials as an attacker — attacker:attacker which will sync the contact to CoffeeShopApp after the successful sync the current account will be transferred to the CoffeeShopApp account
Login to Url —
http://mycontacts.thm:8080/csrf/index.php
We are now redirected to this page once we login
We are redirected to this URL —
http://coffee.thm:8000/accounts/login/?next=/o/authorize/%3Fresponse_type%3Dcode%26client_id%3Dkwoy5pKgHOn0bJPNYuPdUL2du8aboMX1n9h9C0PN%26redirect_uri%3Dhttp%253A%252F%252Fmycontacts.thm%253A8080%252Fcsrf%252Fcallbackcsrf.phpWe need to prepare a Payload to get the Authorization code which can be done by intercepting using the burp suite or you can use other Network interception tool as well.
But to make things easy the creator of this room has already provided us the payload -
http://coffee.thm:8000/o/authorize/?response_type=code&client_id=kwoy5pKgHOn0bJPNYuPdUL2du8aboMX1n9h9C0PN&redirect_uri=http://coffee.thm:8000/oauthdemo/callbackforcsrf/Using the Payload URL above we can login as an attacker Just like we did for contact.thm:8080
We get our Authorization code by login using the attacker’s credentials by getting redirected to this page —
We get the Authorization Code —
OJ4hjYTH4IhC1yfkVEWT0HBUWyooXfLaunching an Attack
URL we are going to use for the Attack —
http://bistro.thm:8080/csrf/callbackcsrf.php?code=xxxxLet’s use the Authorization code we got above with the CSRF Payload
http://bistro.thm:8080/csrf/callbackcsrf.php?code=OJ4hjYTH4IhC1yfkVEWT0HBUWyooXf
After login in as a victim we finally get our flag for the Task 7
Task 7 — Question 2 : What parameter name does the client application include in the authorization request to avoid CSRF attacks?
Task 7 is now Complete !
Task 8
Question 1 : What symbol separates the access token from the OAuth 2.0 implicit grant flow URL?
Question 1 is Solved !
Question 2 : Visit the URL http://coffee.thm:8080/flagvalidator/ and enter the access token you acquired. What is the flag value?
Before proceeding with our last question for this room let’s logout from our previous sessions —
http://coffee.thm:8000/admin/logoutGetting to this URL — http://factbook.thm:8080
The URL above —
http://factbook.thm:8080/callback.php#access_token=5CHMcJNG76dKbtvgsxHMPYBgRRhDzF&expires_in=36000&token_type=Bearer&scope=read+write&state=Access Token —
5CHMcJNG76dKbtvgsxHMPYBgRRhDzFNow we will use the access Token that we got on this URL
http://coffee.thm:8080/flagvalidator/
By entering the Access Token and submitting it we get our Flag for the final question and Final Task
Task 8 Done !
Task 9
Question : Which of the following has been omitted from OAuth 2.1?
a) Implicit Grant
b) Authorization Code
c) Tokens
d) State
Task 10
and by Task 10 , we have successfully completed the room on OAuth Vulnerabilities
and Done !
