OAuth Misconfiguration
See how I found an OAuth misconfiguration escalated to pre authentication account takeover without Burpsuite or any other tool.
Modern Web And Android Apps use OAuth for easy authentication. I won't go into what it is and how it works because I have already shared the related learning resources in my Linkedin post : Click here !
I have found various typical cases such as "missing state parameter" , "improper redirect_uri validation" and others that one can learn from Portswigger's Web Security Academy https://portswigger.net/web-security/oauth. So I won't discuss those here.
Rather I will show how I found a logical flaw in the web app's OAuth implementation which is not described in Portswigger's article.
One of the public programs on Bugcrowd was using google OAuth. I tested the basic test cases but the functionality was quite well implemented.
However I noticed that immediate 'Email verification was not required to create an account.
I am putting the screenshots from the report so that I dont have to explain the impact here again 🤪.
I did some more research about this and found this amazing blog by @harshbothra_ : https://hbothra22.medium.com/attacking-social-logins-pre-authentication-account-takeover-790248cfdc3
Last updated
Was this helpful?