Adding TRR for Authorization Code Phishing#21
Conversation
|
Sorry for the delay. I approved the workflow and looks like there are some linter changes that need addressed. Looks mostly like line-wrapping and a few inline-urls. |
vanvleeta
left a comment
vanvleeta
left a comment
There was a problem hiding this comment.
Excellent first draft! Thank you for the submission!
|
|
||
| ### OAuth | ||
|
|
||
| OAuth is a foundational protocol used by modern identity platforms to enable **secure authorization between users and applications**. It allows a user to grant an application limited access to resources without sharing credentials directly with the application. |
There was a problem hiding this comment.
Is this related to Microsoft's "Malicious Application Consent" (AZT203 - https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203/)? Seems similar, but not sure if there is a distinction between them that I'm missing? Perhaps the use of first-party applications (rather than registering a new malicious one) is the distinction?
There was a problem hiding this comment.
Sort of! It’s similar in that it abuses the OAuth authorization flow. However, the “Malicious Application Consent” technique (illicit consent grant) relies on the user approving a malicious application and granting it permissions.
This technique does not depend on that approval step. Instead, it abuses the OAuth authorization flow directly, often leveraging first-party applications, to capture authorization tokens after authentication.
There was a problem hiding this comment.
Super helpful clarification! Would you mind including a summary of that in the scope statement?
dumpst3rfir3
left a comment
dumpst3rfir3
left a comment
There was a problem hiding this comment.
I agree with other comments, great work! I'm not sure I had much to add to what's already been said, but I left a couple of comments in there.
|
I think I fixed all of the issues with this new commit. If there are more issues please let me know and I will be happy to fix! Thanks again for the review! |
Co-authored-by: vanvleeta <vanvleet@gmail.com>
Co-authored-by: vanvleeta <vanvleet@gmail.com>
4 participants
Hello,
This pull request adds a Technique Research Report (TRR) covering OAuth Authorization Code Phishing, including documentation of the ConsentFix procedure within Microsoft Entra ID environments. The report outlines the mechanics of the authorization code flow and describes how attackers can abuse redirect behavior to obtain authorization codes and redeem them for access tokens.
This is my first contribution to the repository, so please let me know if there are any formatting issues or changes that would improve the submission. I appreciate any feedback from the maintainers.