crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Files
🤬
a0048665
ROOT /
OAuth Misconfiguration.md
22 lines | UTF-8 | 1 KB

OAuth Misconfiguration

Introduction

The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.

How to find

  1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
  2. Change Referral header to attacker.com while requesting OAuth.
  3. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
  4. OAuth Token Re-use.
  5. Missing or broken state parameter.
  6. Lack of origin check.
  7. Open Redirection on another endpoint > Use it in redirect_uri
  8. If there is an email parameter after signin then try to change the email parameter to victim's one.
  9. Try to remove email from the scope and add victim's email manually.
  10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
  11. Check if its leaking client_secret parameter.
  12. Go to the browser history and check if the token is there.

References

Please wait...
Page is in error, reload to recover