Bypass OAuth nonce and steal oculus response code

Introduction Authorization request: https://www.facebook.com/v2.8/dialog/oauth?app_id=1517832211847102&client_id=1517832211847102&domain=auth.oculus.com&locale=en_GB&origin=1&redirect_uri=https://auth.oculus.com/login/&response_type=code&sdk=joey&version=v2.8&nonce=AXRr8eBAjDTBkzQ7&state=d916afa3-3dc1-bab7-fc9d-3c8f44bf757 Bypass CSRF,让victim发送以上请求,当req authorized之后,…

From Open Redirect to Account Takeover Part II

Part I 提及了如何利用 Open Redirect获取 access_token, 基本理论都在 Part I 讲述完了. 本篇在 Part I 的基础上,加上了花俏的伎俩, 成功获得了 Uber 的 access_token. Uber 集成了 FB Login, auth.uber.com和 login.uber.com都能发起 FB Login, 当点击页面上的 FB 按钮, 会触发以下连接: https://facebook.com/xxxx?client_id=xxxxxx&redirect_uri=https%3a%2f%…

From Open Redirect to Account Takeover

Open Redirect 利用Open Redirect, 在 oAuth 的情景下, 获取 accessToken. Example: https://www.facebook.com/dialog/oauth?client_id=388795771235143&response_type=token&redirect_uri=https://www.cbssports.com/&scope=email NIN: &response_type=code or response_type=token 或许会获得不同的结果. 建议都尝试. Exploit 通常情况下, oAuth 的 implementation 都会validate redirect_url. 假设…

Exploiting OAuth Misconfiguration To Takeover Flickr Accounts

1. oAuth Login Flow oAuth Endpoint: https://api.login.yahoo.com/oauth2/request_auth?client_id=[client_ID]&redirect_uri=[URL]&response_type=code&scope=openid,sdpp-w&nonce=[my_nonce]&.scrumb=jeTYmScEVYq 当用户没Login的时候,该Endpoint会redirect user到以下地址: // redirect URL https://www.flickr.com/signin/yahoo/oauth/?redir=https://www.flickr.com/?ytcheck=…

CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"

fb 允许在小组页内,授权dropbox(oAuth 2.0), 直接上传dropbox中的文件. 这案例中, dropbox是client, fb是authorizaiton server & protected resources. 当点击upload button时, browser会发送以下请求: https://www.facebook.com/dialog/oauth?display=popup&client_id=210019893730&redirect_uri=https://www.dropbox.com/fb/filepicker?restrict=100000740415566&group_id=840143532794003&scope=publish_actions,user_groups,…

OAuth2 vs JWT

TL:DR 两者并无可比性. OAuth2 可以利用 JWT 作为 bearer token. OAuth2 包含的东西更多. JWT is an authentication protocol This means it is a strict set of instructions for the issuing and validating of signed access tokens. The tokens contain claims that are used by an app to limit access to a user.…

oAuth 2.0

0x01. OAuth 2.0 Flow概览 1. Register YourApp ClientID: YourApp-ID Client secret: DFIAJAO98SH9832HVMQI3 Redirection endpoints: https://YourApp.com/callback.html, https://YourApp.com/callback Authorization endpoint: https://www.facebook.com/dialog/oauth Token endpoint: https://graph.facebook.com/oauth/access_token 2.1 Get an Access Token with the Client-side…