Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Microsoft Azure's Business To Customer (B2C) Active Directory (AD) service allows for a customer to create a website with AD for authentication that customers can use to create accounts. Using this, a full authN/authZ scheme can be built from pre-existing and known technology. A really good thing to build!

The flow in question for authentication and authorization is the OAuth authorization flow with Proof Key for Code Exchange (PKCE). This uses the standard OAuth flow besides that it will also return a refresh token that uses JWE_RSA-OAEP. This uses an asymmetric encryption algorithm called RSA, which contains both a public and private key.

In the flow, there is a signing key and an encryption key. When using the encryption setting, the public key is used for encryption. Now, this keeps the data secret from a snooping adversary but anybody can encrypt the data. Here in lines the problem: the RSA encryption is used for the generation of the refresh token. Since the public key is public, anybody who has access to this key is able to create their own tokens!

The MSRC web portal uses this form of authentication as well. Since it's trivial to obtain the public key, they were able to craft refresh tokens for arbitrary users on the site. This means they could have viewed arbitrary bug reports, 0-days and much more.

Overall, this is a classic case of misunderstanding the use case of cryptography. Gotta love it!