[This lab](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking) demonstrates how **missing CSRF protection** in an OAuth linking endpoint can let an attacker force another user (in this case, the admin) to attach *their own* social media account to the victim’s account.
Once linked, the attacker can log in via OAuth and gain full access to the victim’s account.
---
#### 1. Understanding the Scenario
* **Functionality**: Users can attach a social media profile to their blog account.
* **OAuth flow flaw**: No `state` parameter is used in the linking flow — leaving it open to CSRF.
* **Goal**: Force the admin to link *our* social media profile, then log in as admin and delete Carlos.
---
#### 2. Reconnaissance
1. Logged in to the blog site as `wiener:peter`.
2. Chose **Attach a social profile**.
3. Completed the OAuth login using social media creds:
```
peter.wiener:hotdog
```
4. Observed the OAuth linking process in **Burp Proxy**:
* Redirect to OAuth provider.
* OAuth provider redirects back with an **authorization code**:
```
GET /oauth-linking?code=XYZ
```
* No `state` parameter present.
5. Confirmed that `/oauth-linking` processes the code and links the current blog account with the authenticated social profile.
---
#### 3. Exploitation Plan
The key weakness:
* If we obtain our **own valid authorization code** for our social account,
* and send it to `/oauth-linking` in the context of the **admin's logged-in session**,
* the server will link our social profile to the admin's account.
From then on, logging in with our social media credentials will give us admin access.
---
#### 4. Crafting the Attack
1. Re-initiated **Attach a social profile** as `wiener:peter`.
2. Intercepted:
```
GET /oauth-linking?code=OUR-CODE
```
3. **Copied** the full URL from Burp.
4. **Dropped** the request to ensure the code remains unused (and valid).
5. Logged out of the blog.
---
#### 5. Delivering the CSRF Exploit
Used the exploit server to craft an HTML payload:
```html
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/oauth-linking?code=OUR-CODE"></iframe>
```
* Sent this to the admin.
* When admin’s browser loaded the iframe, the `/oauth-linking` request was sent with **their session cookies**.
* The server processed it, linking **our social media account** to the **admin account**.
![[CleanShot 2025-08-16 at
[email protected]]]
---
#### 6. Taking Over the Admin Account
1. On the blog site, clicked **Log in with social media**.
2. Logged in with:
```
peter.wiener:hotdog
```
3. Immediately logged in as **admin** (profile linking complete).
4. Accessed `/admin` panel.
5. Deleted user `carlos` to complete the objective.