🎨
Findings
  • Discovered Vulnerabilities
  • Finding Security Vulnerabilities in Android Applications
  • API Endpoints lead to Sensitive Information Disclosure and PII leakage of Employees
  • HTTP Dangerous Methods Enabled - P1
  • Subdomain Takeover
    • Subdomain Takeover
  • XSS
    • XSS on error page
    • Interesting XSS
  • 2FA Bypass
    • Brute-force Protection Bypass
    • Response Manipulation
  • Crazy Account Highjack
  • OAuth Misconfiguration
  • Open Redirect
    • Open Redirect >> XSS
    • Automation
Powered by GitBook
On this page

Was this helpful?

OAuth Misconfiguration

See how I found an OAuth misconfiguration escalated to pre authentication account takeover without Burpsuite or any other tool.

PreviousCrazy Account HighjackNextOpen Redirect >> XSS

Last updated 3 years ago

Was this helpful?

Modern Web And Android Apps use OAuth for easy authentication. I won't go into what it is and how it works because I have already shared the related learning resources in my Linkedin post : !

I have found various typical cases such as "missing state parameter" , "improper redirect_uri validation" and others that one can learn from Portswigger's Web Security Academy . So I won't discuss those here.

Rather I will show how I found a logical flaw in the web app's OAuth implementation which is not described in Portswigger's article.

One of the public programs on Bugcrowd was using google OAuth. I tested the basic test cases but the functionality was quite well implemented.

However I noticed that immediate 'Email verification was not required to create an account.

I am putting the screenshots from the report so that I dont have to explain the impact here again 🤪.

I did some more research about this and found this amazing blog by :

@harshbothra_
https://hbothra22.medium.com/attacking-social-logins-pre-authentication-account-takeover-790248cfdc3
Click here
https://portswigger.net/web-security/oauth
Description
Impact