search

StudSec / pwncrates

A CTF framework with a focus on educational benefit.
https://ctf.studsec.nl
GNU General Public License v3.0
4 stars 8 forks source link

Discord OAuth nonce is lacking #24

Closed Aidan-Stephenson closed 8 months ago

Aidan-Stephenson commented 1 year ago

Discord OAuth supports a 'state' parameter, as described in https://discord.com/developers/docs/topics/oauth2#state-and-security

This state parameter is bound between a server and an individual user. This prevents the following attack scenario:

Attacker initializes a new OAuth login, this is then interrupted and forwarded to the victim. The victim continues the OAuth flow thinking its their own, completing it and authenticating the attacker.

I'm not entirely sure if there is more to this attack, or an alternative attack the state parameter protects against. In theory pwncrates should not be vulnerable, given that the victim controls the OAuth callback, and thus also the authenticated account, but its an additional security mechanism so there is little reason not to.

Aidan-Stephenson commented 8 months ago

Fixed in 31f15976b1194186d11a37d422011e07b21bac3d