Exploiting OAuth for fun and profit
Now that we've learned about different OAuth mechanisms, let's go straight to exploitation techniques.
Open redirect – the malformed URL
Let's say we're doing a phishing/client-side browser exploitation as a part of a penetration test engagement for an organization. Our exploit page is located at http://exploit.example.com/
and they really trust some known websites. In this example, we consider a trusted website to be http://trusted.com
.
Simply speaking, if we give the exploit link directly to the users, they may not click it, but a www.trusted.com
link will have better chances of getting a hit. That's what open-redirect is all about; redirecting the user from www.trusted.com
to exploit.example.com
will perform our trick and at the same time exploit the users' trust.
In OAuth 2.0, some authorization servers suffer from a flaw that indirectly results in an open redirect. Let's assume that www.trusted.com
runs an OAuth...