diff --git a/src/pentesting-web/oauth-to-account-takeover.md b/src/pentesting-web/oauth-to-account-takeover.md index d1b1cf2e192..913a2e26b3f 100644 --- a/src/pentesting-web/oauth-to-account-takeover.md +++ b/src/pentesting-web/oauth-to-account-takeover.md @@ -298,6 +298,46 @@ This [**blogpost**](https://blog.voorivex.team/oauth-non-happy-path-to-ato) comm 3. In the opener, after the provider authorizes the victim, it sends them back to the value of the `redirect_uri` parameter (victim web) with 30X code which still keeps the attackers website in the referer. 4. The victim **website trigger the open redirect based on the referrer** redirecting the victim user to the attackers website, as the **`respose_type`** was **`id_token,code`**, the code will be sent back to the attacker in the **fragment** of the URL allowing him to tacke over the account of the user via Google in the victims site. +### Open Dynamic Client Registration + PKCE-enabled malicious client flows + +If the authorization server exposes `/.well-known/oauth-authorization-server` or `/.well-known/openid-configuration`, inspect it for a **`registration_endpoint`**, supported grant types, and `token_endpoint_auth_methods_supported`. A combination such as **dynamic client registration + `authorization_code` + `none` client auth + PKCE** means the platform may allow attacker-created **public clients**. + +Quick recon: + +```bash +curl -s https://target/.well-known/oauth-authorization-server +``` + +Interesting signals in the metadata: + +- `registration_endpoint` is reachable from the internet. +- `token_endpoint_auth_methods_supported` contains `none`. +- `code_challenge_methods_supported` contains `S256`. + +If `POST /register` is unauthenticated, try registering an attacker-controlled callback: + +```json +{"redirect_uris":["https://attacker.com/callback"]} +``` + +This is **more dangerous than a normal open `redirect_uri` bug** because the attacker becomes a **legitimate client** from the IdP perspective. After that, the workflow is: + +1. Register the malicious client and keep the returned `client_id` (and `client_secret` if any). +2. Generate your own PKCE `code_verifier` / `code_challenge` pair. +3. Send the victim to a normal OAuth authorize URL using your `client_id` and `redirect_uri`. +4. If the victim approves the consent screen, the authorization server sends **their** code to **your** callback. +5. Exchange the code with your known verifier and obtain victim tokens. + +PKCE does **not** stop this pattern when the attacker controls the entire OAuth client lifecycle. PKCE protects against **code interception by a third party**; it does not protect against a **malicious registered client** that generated the `code_challenge` itself. + +Extra checks during testing: + +- The registration endpoint should require authentication, approval, or ownership validation for `redirect_uris`. +- `redirect_uris` should be matched exactly and not accept arbitrary attacker domains. +- If the metadata advertises public-client token auth (`none`), verify whether this is only allowed for trusted clients and whether token redemption still enforces the correct `client_id`, `redirect_uri`, and PKCE verifier. +- If the authorization API returns authorization data or a redirect target **before** a user session is established, treat that as a broken authorization/authentication boundary and chain it with the malicious-client flow above. +- Wildcard CORS on OAuth endpoints is not usually the root cause of the account takeover, but it can expand browser-based abuse and should be reported as an impact amplifier. + ### SSRFs parameters [**Check this research**](https://portswigger.net/research/hidden-oauth-attack-vectors) **For further details of this technique.** @@ -387,5 +427,7 @@ In mobile OAuth implementations, apps use **custom URI schemes** to receive redi - [Leaking fbevents: OAuth code exfiltration via postMessage trust leading to Instagram ATO](https://ysamm.com/uncategorized/2026/01/16/leaking-fbevents-ato.html) - [Rapid7: CVE-2026-31381, CVE-2026-31382: Gainsight Assist Information Disclosure and Cross-Site Scripting (FIXED)](https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed) - [MDN: Window `pagereveal` event](https://developer.mozilla.org/en-US/docs/Web/API/Window/pagereveal_event) +- [How I Found a Critical OAuth Misconfiguration That Led to Account Takeover](https://medium.com/@iamshafayat/how-i-found-a-critical-oauth-misconfiguration-that-led-to-account-takeover-abfec43eaea6) + {{#include ../banners/hacktricks-training.md}}