2022-07-06 15:57:44
Account hijacking using "dirty dancing" in sign-in OAuth-flows by Frans RosénCombining response-type switching, invalid state and redirect-uri quirks using OAuth, with third-party javascript-inclusions has multiple vulnerable scenarios where authorization codes or tokens could leak to an attacker. This could be used in attacks for single-click account takeovers. Frans Rosén, Security Advisor at Detectify goes through three different scenarios found in the wild below and also suggests ways to reduce the risk.
Contents:
• Background
• Current state and assumptions about OAuth credential leakage
• Explanation of different OAuth-dances
• Response modes
• A theory: stealing tokens through postMessage
• It took a lot of time to get here
• Non-happy paths in the OAuth-dance
• Break state intentionally
• Response-type/Response-mode switching
• Redirect-uri case shifting
• Redirect-uri path appending
• Redirect-uri parameter appending
• Redirect-uri leftovers or misconfigurations
• I ended up on a non-happy path. Now what?
• Here be more time
• URL-leaking gadgets
• Other ideas for leaking URLs
• A page on a domain that routes any postMessage to its opener
• Conclusion
• How can we fix this?
• How to reduce the risk
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
2.9K views12:57