What is OAuth?

OAuth (Open Authorization) is an open standard protocol that allows users to grant websites or applications access to their information on other websites without sharing passwords.

How Does OAuth Work?

1. Authorization Request: A user wants to grant a third-party application access to data on another service.
2. Authorization Grant: The user is redirected to the service to log in and grant permission.
3. Access Token: Once permission is granted, the service issues an access token to the third-party application.
4. Accessing Resources: The third-party application uses this token to access the user's data without needing the user's password.

OAUTH Checklist :

1-If the application uses OAuth implicit flow, test it:

• Check OAuth endpoints
• Note endpoints that contain user data
• Change username to a specific user and check if the status code is OK. If so, the attack is successful

2-Try Stealing OAuth access tokens via an open redirect

Steps:

1. Identify an Open Redirect Vulnerability

   Look for an open redirect, especially in the redirect_uri parameter within the /auth endpoint.

2. Check the redirect_uri Parameter

   If the redirect_uri doesn’t allow redirects by default, attempt a path traversal sequence to bypass protections.

   • Example: redirect_uri=https://example.com/oauth-callback/../post?postId=1If the request redirects to the specified post, an open redirect vulnerability is present.

3. Set Up a Malicious Redirect

   Host a server and write a malicious script that exploits the vulnerability to steal OAuth tokens. For example: