Vulnerability Type: Authentication bypass via OAuth implicit flow
Vulnerable Lab: https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow
POC (Video) : https://youtu.be/7EtoC6IJB_w (Attached)
Lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users’ accounts without knowing their password.
How to reproduce the vulnerability:
- Proxying traffic through Burp Access the Lab and Log in with social media account wiener:peter
2. In Burp, go to “Proxy” > “HTTP history” Send the POST /authenticate request to Burp Repeater.
3. In Repeater, change the “email” address to [email protected] and send the request.
4. Send the Request and Show response in your browser. You are logged in as Carlos and the lab is solved.
Due to validation bypass in “email” parameter in OAUTH flow, Flawed validation by the client application makes it possible for an attacker to log in to other users’ accounts without knowing their password.