Account Takeover

Overview of the Vulnerability

OAuth is an authorization framework used to identify and authenticate users for an application. There are a number of implementation misconfigurations which can lead to an OAuth framework being implemented insecurely that an attacker can leverage to take over multiple user accounts and manipulate or retrieve data.

Business Impact

Account takeover can lead to financial and loss through an attacker's access to multiple user accounts and the data within. This attack can also lead to reputational damage for the business through the impact to customers’ trust in the security of the application.

Steps to Reproduce

Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
With the HTTP intercept proxy turned on, login to the application and capture the response in the the HTTP intercept proxy
Observe the OAuth misconfiguration that leads to account takeover

Proof of Concept (PoC)

The screenshot below demonstrates the OAuth misconfiguration:

Recommendation(s)

There is no single technique to stop OAuth misconfigurations from occurring. However, securely implementing the OAuth workflow with the right combination of defensive measures can prevent and limit the impact of these OAuth misconfigurations. Some best practices include the following:

Ensure that parameters within the OAuth workflows are validated
Enable Cross-Site Request Forgery (CSRF) validation on endpoints
Thoroughly validate input and use other preventative controls to limit Cross-Site Scripting (XSS). See the Open Web Application Security Project’s (OWASP) XSS prevention cheat sheet for more details: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

PreviousAccount Squatting NextInsecure Redirect URI

Last updated 1 year ago