- While proxying traffic through Burp, click "My account" and complete the OAuth login process. Afterwards, you will be redirected back to the blog website.
-
In Burp, go to "Proxy" > "HTTP history" and study the requests and responses that make up the OAuth flow. This starts from the authorization request
GET /auth?client_id=[...]. -
Notice that the client application (the blog website) receives some basic information about the user from the OAuth service. It then logs the user in by sending a
POSTrequest containing this information to its own/authenticateendpoint, along with the access token. -
Send the
POST /authenticaterequest to Burp Repeater. In Repeater, change the email address tocarlos@carlos-montoya.netand send the request. Observe that you do not encounter an error. -
Right-click on the
POSTrequest and select "Request in browser" > "In original session". Copy this URL and visit it in the browser. You are logged in as Carlos and the lab is solved.
Lab: Authentication bypass via OAuth implicit flow
This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.
To solve the lab, log in to Carlos's account. His email address is carlos@carlos-montoya.net.
You can log in with your own social media account using the following credentials: wiener:peter.
Register for free to track your learning progress
-
Practise exploiting vulnerabilities on realistic targets.
-
Record your progression from Apprentice to Expert.
-
See where you rank in our Hall of Fame.
Already got an account? Login here
