Hi,
I will not write a detailed step-by-step instruction manual to solve the task.
However, the general steps you should take are the following:
- Start the authentication on the attacker side (do not login, we only need to do this step to retrieve a valid state and nonce combination)
- Copy the URL and change the "redirect_uri" to an attacker controlled server
- Send the URL to the victim
- Once victim authenticates, they are redirected to the "redirect_uri", which is controlled by the attacker: The attacker now has a valid code for the victim (can be retrieved from the webserver log)
- The attacker can now user the original "redirect_uri" and append the code (and state+nonce) to it as query parameters
- Attacker is now logged in as victim (by stealing the code)
If there is any specific question about the workflow, feel free to ask.
I recommend that you try the workflow and play around until you get it right.
It is really not that complicated in the end.
-----
As to the difference between Code Flow (2) and (3):
Both require a matching state + nonce combination.
However, in flow (3), it is much easier to accomplish.
In general, only the order of the requests is different.
The general problem is, that the attacker needs a valid state + nonce combination on the original client's end.
If the original client does not validate the state + nonce, this attack would work as is, with basically any nonce + state combination.
However, flow (3) generally works (if the state + nonce is not bound to user session) since the attacker first starts the authentication request on the original client's end and can then use the their state + nonce combination that they get for the victim's request to the attackers website.
Therefore the validation on the original client's end of the state + nonce will not fail, as the original client generated (and stored) them.
I hope that clears it up.
Otherwise, feel free to ask more questions.
Cheers
Sebastian