7.5 KiB
name, description
| name | description |
|---|---|
| auth0 | Auth0 tenant security testing covering misconfigured rules/actions, scope escalation, MFA bypass, and cross-application token confusion |
Auth0
Auth0 misconfigurations enable account takeover, cross-tenant data access, and privilege escalation through Rules/Actions, loose application settings, weak API authorization, and token acceptance bugs in consuming applications. Test both the Auth0 tenant configuration and how downstream APIs validate Auth0-issued tokens.
Attack Surface
Auth0 Components
- Applications: SPA, Regular Web, Native, Machine-to-Machine (M2M)
- APIs (Resource Servers): identifiers, scopes, RBAC, permissions
- Connections: database, social, enterprise (SAML/OIDC)
- Rules (legacy) and Actions (post-login, pre-user-registration, credentials exchange)
- Organizations (multi-tenant B2B), roles, permissions
- Universal Login, custom domains, custom database scripts
Token Types
- ID Token (OIDC), Access Token (JWT or opaque), Refresh Token
- Management API tokens, client credentials tokens (M2M)
- PAR, PKCE flows for public clients
Management
- Auth0 Management API (
/api/v2/) - Tenant settings, attack protection, MFA policies, anomaly detection
- Logs streaming, hooks, custom prompts
Reconnaissance
Tenant Discovery
# From app config, JS bundles, mobile apps
domain: tenant.us.auth0.com / tenant.eu.auth0.com / login.customdomain.com
client_id, audience, scope values in authorize URLs
OIDC Discovery
GET https://TENANT.auth0.com/.well-known/openid-configuration
GET https://TENANT.auth0.com/.well-known/jwks.json
Authenticated Userinfo (requires bearer access token — unauthenticated requests return 401)
GET https://TENANT.auth0.com/userinfo
Authorization: Bearer <access_token>
Application Fingerprint
- Login redirect to
https://TENANT.auth0.com/authorize?client_id=... auth0-js,@auth0/auth0-spa-js,auth0-reactin frontend bundles- API
audienceparameter in token requests
Management API Exposure
- Leaked M2M credentials with
read:users,update:users,create:usersscopes - Management API called from browser (CORS misconfiguration)
Key Vulnerabilities
Application Configuration
Callback URL / Origin Misconfigurations
- Wildcard or overly broad Allowed Callback URLs:
https://app.com/*,http://localhost:* - Allowed Logout URLs, Web Origins, CORS origins too permissive
- Native app custom scheme hijacking (
com.app://callback)
Token Settings
- ID Token used as API access token (audience/scope confusion)
- Refresh token rotation disabled; overly long TTL
- Signing algorithm downgrade if RS256 not enforced downstream
API Authorization (Resource Server)
Missing Scope/RBAC Enforcement
- API accepts any valid access token without required
scopeorpermissionsclaim - RBAC enabled in Auth0 but API doesn't call
/userinfoor validatepermissionsarray - Wrong
audienceaccepted — token for App A works on App B's API
Test:
# Token for audience A used against API B
Authorization: Bearer <token_with_audience_A>
Rules and Actions Abuse
Post-Login Rule/Action Injection
- Rules that add claims based on unvalidated user metadata:
user.app_metadata.role = 'admin' // if user can set app_metadata via signup/API context.authorizationmanipulation in Actions- Secrets in Rule code exposed to tenant admins or via Management API leak
Signup / Registration Actions
pre-user-registrationnot blocking disposable emails or role self-assignment- Social connection account linking without verified email → account takeover
Organizations (B2B Multi-Tenancy)
- Missing
org_idvalidation in API — user from Org A accesses Org B data - Invitation flows accepting attacker email domains
- Organization membership not re-checked after role change
MFA Bypass
- MFA not enforced on Management API or high-risk applications
- Remember-browser cookie bypasses step-up for sensitive actions
- MFA challenge only on Universal Login but API accepts password-grant tokens without MFA
- Recovery codes/brute-force on enrollment endpoints
Account Takeover Vectors
- Password reset link not invalidated after use; predictable reset tokens
- Email verification not required before sensitive actions
- Change password without re-auth or MFA
- Linking attacker's social IdP to victim account (same email, unverified)
Management API
- M2M app with excessive scopes:
delete:users,update:users_app_metadata - Management API token in frontend JavaScript or mobile app
- Rate limiting absent on
/api/v2/usersenumeration
Custom Database Scripts
- Custom login script with SQL injection in username lookup
get_userscript returning excessive profile fields- Scripts with hardcoded credentials or weak hashing
Advanced Techniques
Cross-Application Token Confusion
- Same
client_secretreused across environments (dev/prod) - Multiple APIs sharing signing keys without
audvalidation
Resource Owner Password Grant (if enabled)
- Legacy grant enabled — direct username/password to token endpoint, bypassing Universal Login MFA
Impersonation / Delegation
act_asor delegation features misconfigured (legacy features in older tenants)
Testing Methodology
- Extract tenant config — Domain, client_id, audience, scopes from app
- Callback/origin matrix — Fuzz Allowed Callback URLs and Web Origins
- Token validation — Swap audiences, strip scopes, expired tokens, wrong signing keys
- Org boundary — Two org users accessing each other's org-scoped resources
- MFA policy — Sensitive actions without step-up; API paths bypassing MFA
- Management API — Hunt for leaked M2M creds; test scope boundaries
- Rules/Actions — Trace claim injection from
user_metadata/app_metadata
Validation
- Demonstrate account takeover or cross-org access with token/callback/metadata abuse
- Show API accepting token without required scope/permission/audience
- MFA bypass PoC on protected application flow
- Document Auth0 setting (Rule, Application config, API RBAC) root cause
- Provide authorize → callback → API request chain with evidence
False Positives
- Callback URL validation rejects all fuzz attempts consistently
- API validates
aud,iss,scope/permissionson every request - MFA enforced via Auth0 Action on every login for sensitive apps
app_metadatawritable only by admin via Management API, not user signup- Organizations feature correctly binds
org_idin token and API enforces it
Impact
- Full account takeover across Auth0-connected applications
- Cross-tenant data breach in B2B org deployments
- Privilege escalation via metadata/claim injection in Rules
- Mass user enumeration/modification via Management API abuse
Pro Tips
- Always capture full authorize URL —
audienceandscopereveal API targets - Decode access token JWT — check
permissions,scope,org_id,https://.../rolesclaims - Test dev/stage tenants separately — often weaker callback rules
- Pair with
oauthandauthentication_jwtskills for flow/token layer testing - Management API M2M creds in CI logs are high-value — search GitHub, buckets, artifacts
Summary
Auth0 security spans tenant configuration (callbacks, MFA, Rules) and downstream API token validation (aud, scope, permissions, org_id). A perfectly configured Universal Login fails if the API accepts tokens without enforcing Auth0's authorization model.