search

akabe1 / OAUTHScan

Burp Suite Extension useful to verify OAUTHv2 and OpenID security
GNU General Public License v3.0
170 stars 26 forks source link

"OpenID Authorization Code Flow without State Parameter Detected" False Positive #8

Closed domwhewell closed 1 year ago

domwhewell commented 1 year ago

The burp extension has incorrectly identified and given this issue as the state is in the POST body instead of the Request Parameters.

Here is the HTTP request

POST /usernamepassword/login HTTP/2
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/login?state=hKFo2SBObDFkeFE1R3dONmk1cDZ4Q1FudWlmMXo1OFdvMkg4QqFupWxvZ2luo3RpZNkgZ24yWlE1WUVPZGRrQ29sdnZoNG1sS3BRR0NuRE9UdU2jY2lk2SB3VTFkTGd0Z0cwdHpRWTNCMGhrWGFkS3ZVb0ZNbEN0cg&client=wU1dLgtgG0AUMSNGOEkXadKvUoFMlCtr&protocol=oauth2&redirect_uri=https%3A%2F%2Flocalhost%2Fconnectors%2Fauth0%2Fauth&scope=openid%20profile%20email&response_mode=query&response_type=code&nonce=156a1511d8b48d4281b458a18852ae41&code_challenge=lIGOf-7LT-wdZFsC1Tc5G7tjeDZOIDwVBkNtiSEiKII&code_challenge_method=S256&login_hint=test%40example.com
Content-Type: application/json
Auth0-Client: eyJuYW1lIjoibG9jay5qcy11bHAiLCJ2ZXJzaW9uIjoiMTEuMjcuMCIsImVudiI6eyJhdXRoMC5qcy11bHAiOiI5LjE0LjAifX0=
Content-Length: 784
Origin: https://localhost
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{
"client_id":"wU1dLgtgG0AUMSNGOEkXadKvUoFMlCtr",
"redirect_uri":"https://localhost/connectors/auth0/auth",
"tenant":"oauth2-demo",
"response_type":"code",
"scope":"openid profile email",
"state":"hKFo2SBObDFkeFE1R3dONmk1cDZ4Q1FudWlmMXo1OFdvMkg4QqFupWxvZ2luo3RpZNkgZ24yWlE1WUVPZGRrQ29sdnZoNG1sS3BRR0NuRE9UdU2jY2lk2SB3VTFkTGd0Z0cwdHpRWTNCMGhrWGFkS3ZVb0ZNbEN0cg",
"nonce":"156a1511d8b48d4281b458a18852ae41",
"connection":"CloudID",
"username":"test@example.com",
"password":"Password1!",
"popup_options":{},
"sso":true,
"response_mode":"query",
"_intstate":"deprecated",
"_csrf":"l0ZUjXZL-2LaAHUARoAw4k_nPHWW4hnZjeOQ",
"code_challenge_method":"S256",
"code_challenge":"lIGOf-7LT-wdZFsC1Tc5G7tjeDZOIDwVBkNtiSEiKII",
"protocol":"oauth2",
"login_hint":"test@example.com"
}
akabe1 commented 1 year ago

This is a dilemma I had faced while writing this Burp plugin, as some developers do not strictly follow the official RFCs when implementing OAUTH and OpenID. My choice was to develop the plugin following the guidelines of the RFCs and leave it to the users to manually check for any false positives caused by the fact that the version of OAUTH/OpenID in the application scanned with Burp is not perfectly compliant with the RFCs. At the moment I have no plans to change this behavior.