Forced OAuth Profile Linking
Challenge: https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking
Preface
This challenge is interesting as it leverages a Cross-Site Request Forgery vulnerability in order to link the victim's profile to the attacker's account.
Reproduction Steps
Begin the challenge by authenticating to the web application using the provided username and password. Once authenticated, browse to/my-account
and observe there is a functionality allowing a social media profile to be attached to the account.
Click Attach a social profile
and proceed with the OAuth flow to attach the social media account (which uses a separate set of credentials which are provided by the challenge).
Once the social media profile is attached, observe the request history and discover:
The value in the code
parameter is returned in the request before the one above by the Authorization Server:
So it appears the code
parameter value is mapped to the social media account which was connected to the user's account.
What happens if the OAuth flow is re-initiated and the request which contains the code
is intercepted, dropped, and then sent to an authenticated victim? In theory, the attacker's social media account will then be bound to the victim's account thus providing a backdoor for the attacker.
To test this, reinvoke the OAuth flow and intercept the request being made to the /oauth-linking
endpoint which contains the code. Drop the request and instead craft a CSRF proof of concept which when visited will invoke that request:
Host the HTML proof of concept and as soon as the victim visits it, the attacker's social media profile will be bound to the victim's account.
The attacker can then use the Login with social media
offered by the web application and log into their social media account thus logging them into the victim's account.
This vector could have been mitigated in several ways, first and foremost by implementing CSRF protection.
Last updated