Armend Gashi - What do OAuth and Football Clubs have in common? - BSides Prishtina 2022

uh so who's ready to have some football um all right a short video i'm arnold gauschi i'm a senior penetration tester at century and prior to being part of century i attended the ciacp program at cyber academy guided by dre north monae throughout this time in century i had the opportunity to participate in a lot of engagements that included but were not limited to application penetration testing such as web mobile or uh say clients they included also cloud infrastructures in uh aws azure and google cloud platform apis internal external penetration testing real team and engagements and social engineering what i also define crucial for for our career as uh penetration testers is taking care of of of your burnouts as

it's so easy to get burned out in this career so what i do i try to enjoy my my free time which mainly include playing drums but of course i'm listening to some cool heavy metal music so uh the outline for this presentation will be how to hack uh a lot of football clubs so i have a question for our audience do you have any ideas what do oauth and football clubs have in common

all right so um what they do have in common is the audience and i'm going to tell you why in a few minutes so the the outline will cover of open id connect which will cover a general overview on how they work and what they are and some of their features such as dynamic client registration they're uh the risks that they pose and the hard-coded secrets and the risks that they pose and how did we compromise the majority of the most prominent football clubs apart from it we also have a bonus outline that includes cosmos databases and how to escape the kiosk so what is the walls and open id so basically oauth is an authorization

protocol that allows uh users to sign in using their google account or their facebook account today to the uh to the application meanwhile open id is a protocol that is mainly focused on uh it is mainly focused on the authentication process so the main difference between authentication and authorization is that with authentication the application tries to uh to know who you are and with authorization basically it restricts the scope on which data or which files you have uh access to throughout this talk some of the terminologies that we might need are the client credentials which include client id and client secret which are similar to username and password uh we might also need the the scope which is basically

your limitation towards those credentials within the application and the audience which is the intended recipient of the token so merchandiser information will be able to hack the majority of the most football clubs so the methodology for this engagement was uh since it was using the openid connect we tried to grab the open id configuration which led to the dynamic client registration endpoint which led to a failed attempt to perform uh dynamic client registration so initially then we proceeded to uh with a initial authentication request which generated the following scope highlighted in red and we also got an access token which was limited only to our our set of data and we could not really really escape that apart from an

insecure direct object reference that we identified in the application but it was very limited as you can see down here the the id uh highlighted in red is a unique identifier in the hex format not easily resourceable and the attacking surface was very limited even though they retrieved data include uh passwords of their database that were hosted locally in the in the targeted infrastructure but again the attacking surface is limited and we could not really do anything with that next we have also identified a another uh insecure direct logic reference which was uh read only access control flow by supplying the administrator's email address we were able to retrieve a lot of sensitive information that included

all the football players some of the most prominent football clubs and it included their name their last name their date of birth they unique identifier that we might be using later what is their max heart rate when they are running and their resting heart rate so on and so forth and initially then we will try to to see if there is any any sensitive information stored in the applications configuration files this this was also a sc client so this led to some very sensitive information that was the client id and the client secret and performing the authentication request with the client credentials grant type led to the to the following scope that would allow us to read all of the users update any

of the users and delete any of the users which could lead to a potential denial of service for the for the application and they could they could not offer uh their service anymore so now that we have this scope and we have this json web token what is our next step the next step is that we might we might want to to view at the official api documentation of oauth and see how we can abuse all of these legitimate uh functionalities within the application so i've navigated to the to the official documentation and uh and noticed that all of these actions are legitimate and we can perform uh any of that action moving forward this is the uh the attacking scenario

that uh that we have come up for so firstly we have registered the we have listed the registered users and then we have grabbed the administrator's email address and then we could also change that password and then you could take over the football club you name it uh proceeding with that to list these users i've listed here some endpoints but i don't think you can see them but it's okay so it's the api slash v2 slash users which lists all the available users then we could list the users by their id or list their roles or list them by their email address moving forward to compromise the football club you name it we would need to send a patch

request to this uh end point which is all zero pipe the unique identifier that we could have grabbed from the uh from the listing uh request that we have initiated uh previously and then as as a penetration tester we all know that it's it's never enough to to perform hacking so we have we have proceeded to hack even more so in this case we have the penalty round where there's a bonus outline and the bonus outline is that the application was throwing even more hard-coded secrets that included the application's connection strength to their cosmos database and using that connection string then we were we were able to to perform a lot of actions such as connect to

their database and then view all of the players information in this list we could we could name some of the best football teams like chelsea or paris and german so on and so forth and all of their players their data and we could read them modify them and also we could delete them um so as the last bonus outline we had the the kiosk escape so basically the applications uh browser render engine was not properly configured which allowed us to navigate to to the settings and then after navigating to the settings we were able to uh to pop that cmd with the anti-authority uh permissions so using this way we were able to uh to

play we are the championship queen so yeah that's the way how how we hacked uh the most of the football clubs in the in the world so thank you for your attention any questions