[This lab](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) demonstrates how **missing CSRF protection** in an OAuth linking endpoint can let an attacker force another user (in this case, the admin) to attach *their own* social media account to the victim’s account. Once linked, the attacker can log in via OAuth and gain full access to the victim’s account. --- #### 1. Understanding the Scenario * **Functionality**: Users can attach a social media profile to their blog account. * **OAuth flow flaw**: No `state` parameter is used in the linking flow — leaving it open to CSRF. * **Goal**: Force the admin to link *our* social media profile, then log in as admin and delete Carlos. --- #### 2. Reconnaissance 1. Logged in to the blog site as `wiener:peter`. 2. Chose **Attach a social profile**. 3. Completed the OAuth login using social media creds: ``` peter.wiener:hotdog ``` 4. Observed the OAuth linking process in **Burp Proxy**: * Redirect to OAuth provider. * OAuth provider redirects back with an **authorization code**: ``` GET /oauth-linking?code=XYZ ``` * No `state` parameter present. 5. Confirmed that `/oauth-linking` processes the code and links the current blog account with the authenticated social profile. --- #### 3. Exploitation Plan The key weakness: * If we obtain our **own valid authorization code** for our social account, * and send it to `/oauth-linking` in the context of the **admin's logged-in session**, * the server will link our social profile to the admin's account. From then on, logging in with our social media credentials will give us admin access. --- #### 4. Crafting the Attack 1. Re-initiated **Attach a social profile** as `wiener:peter`. 2. Intercepted: ``` GET /oauth-linking?code=OUR-CODE ``` 3. **Copied** the full URL from Burp. 4. **Dropped** the request to ensure the code remains unused (and valid). 5. Logged out of the blog. --- #### 5. Delivering the CSRF Exploit Used the exploit server to craft an HTML payload: ```html <iframe src="https://YOUR-LAB-ID.web-security-academy.net/oauth-linking?code=OUR-CODE"></iframe> ``` * Sent this to the admin. * When admin’s browser loaded the iframe, the `/oauth-linking` request was sent with **their session cookies**. * The server processed it, linking **our social media account** to the **admin account**. ![[CleanShot 2025-08-16 at [email protected]]] --- #### 6. Taking Over the Admin Account 1. On the blog site, clicked **Log in with social media**. 2. Logged in with: ``` peter.wiener:hotdog ``` 3. Immediately logged in as **admin** (profile linking complete). 4. Accessed `/admin` panel. 5. Deleted user `carlos` to complete the objective.