Account Takeover! Which companies don't accept 😞

Hello everyone! 🎉

Darshan here, This is my second Write-up. And In this write-up, I’m going to tell you about Authorization Code Grant Bug.

Me after getting a good response on my 1st blog 😹

Due to this issue, the Attacker can use the Authorization code again to login into the victim account.

So, What is the Authorization code first of all?

The authorization code is a temporary code that the client will exchange for an access token. The code itself is obtained from the authorization server where the user gets a chance to see what information the client is requesting, and approve or deny the request.

Reference:- https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/

What how the Authorization code actually look like?

The authorization code is underlined in the image

Let's see how to test for this bug:-

simple

1. go to Yourtarget.com
2. click on login with google (Gmail)
3. capture request in burp suite
4. send a request to the repeater which contains the Authorization code and state
5. complete login
6. now go back to a repeater (in step 4)
7. now click on go here you can see the request is still working. show response 200 OK or 302 Found

Step 7.

Hacker Phase:-

Suppose the Attacker got found the authorization code of any user

1. The attacker will visit Yourtarget.com
2. click on login with google (Gmail)
3. capture request in burp suite
4. The attacker will replace their own authorization code with the victim's authorization code.

Get login successfully into victims account because victims authorization was not expired

Reference:- https://www.oauth.com/oauth2-servers/server-side-apps/example-flow/

Impact:-

if the attacker found the authorization code of any user attacker can log in as a user by reusing the authorization code of that user

So, here the main question comes

Why some companies don't accept this bug

Most of the bug bounty targets think to exploit this bug attacker needs to access the victim’s computer. And It’s true 😔 But it’s also possible to steal this code by social engineering. And which is mostly out of scope. Sad Lyf : ( Or if URL with a token gets leaked.

It doesn't mean you should never report this bug. I have got several bounties for this bug in past.

Mitigation for this bug:-

I hope you guys enjoy reading my write-up!, follow me on Twitter, LinkedIn, Instagram. see you on the next bug bounty write-up!