Skip to content

How I Found a Critical OAuth Misconfiguration That Led to Ac... #2353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+42 −0
Open

How I Found a Critical OAuth Misconfiguration That Led to Ac... #2353

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions src/pentesting-web/oauth-to-account-takeover.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,46 @@ This [**blogpost**](https://blog.voorivex.team/oauth-non-happy-path-to-ato) comm
3. In the opener, after the provider authorizes the victim, it sends them back to the value of the `redirect_uri` parameter (victim web) with 30X code which still keeps the attackers website in the referer.
4. The victim **website trigger the open redirect based on the referrer** redirecting the victim user to the attackers website, as the **`respose_type`** was **`id_token,code`**, the code will be sent back to the attacker in the **fragment** of the URL allowing him to tacke over the account of the user via Google in the victims site.

### Open Dynamic Client Registration + PKCE-enabled malicious client flows

If the authorization server exposes `/.well-known/oauth-authorization-server` or `/.well-known/openid-configuration`, inspect it for a **`registration_endpoint`**, supported grant types, and `token_endpoint_auth_methods_supported`. A combination such as **dynamic client registration + `authorization_code` + `none` client auth + PKCE** means the platform may allow attacker-created **public clients**.

Quick recon:

```bash
curl -s https://target/.well-known/oauth-authorization-server
```

Interesting signals in the metadata:

- `registration_endpoint` is reachable from the internet.
- `token_endpoint_auth_methods_supported` contains `none`.
- `code_challenge_methods_supported` contains `S256`.

If `POST /register` is unauthenticated, try registering an attacker-controlled callback:

```json
{"redirect_uris":["https://attacker.com/callback"]}
```

This is **more dangerous than a normal open `redirect_uri` bug** because the attacker becomes a **legitimate client** from the IdP perspective. After that, the workflow is:

1. Register the malicious client and keep the returned `client_id` (and `client_secret` if any).
2. Generate your own PKCE `code_verifier` / `code_challenge` pair.
3. Send the victim to a normal OAuth authorize URL using your `client_id` and `redirect_uri`.
4. If the victim approves the consent screen, the authorization server sends **their** code to **your** callback.
5. Exchange the code with your known verifier and obtain victim tokens.

PKCE does **not** stop this pattern when the attacker controls the entire OAuth client lifecycle. PKCE protects against **code interception by a third party**; it does not protect against a **malicious registered client** that generated the `code_challenge` itself.

Extra checks during testing:

- The registration endpoint should require authentication, approval, or ownership validation for `redirect_uris`.
- `redirect_uris` should be matched exactly and not accept arbitrary attacker domains.
- If the metadata advertises public-client token auth (`none`), verify whether this is only allowed for trusted clients and whether token redemption still enforces the correct `client_id`, `redirect_uri`, and PKCE verifier.
- If the authorization API returns authorization data or a redirect target **before** a user session is established, treat that as a broken authorization/authentication boundary and chain it with the malicious-client flow above.
- Wildcard CORS on OAuth endpoints is not usually the root cause of the account takeover, but it can expand browser-based abuse and should be reported as an impact amplifier.

### SSRFs parameters <a href="#bda5" id="bda5"></a>

[**Check this research**](https://portswigger.net/research/hidden-oauth-attack-vectors) **For further details of this technique.**
Expand Down Expand Up @@ -387,5 +427,7 @@ In mobile OAuth implementations, apps use **custom URI schemes** to receive redi
- [Leaking fbevents: OAuth code exfiltration via postMessage trust leading to Instagram ATO](https://ysamm.com/uncategorized/2026/01/16/leaking-fbevents-ato.html)
- [Rapid7: CVE-2026-31381, CVE-2026-31382: Gainsight Assist Information Disclosure and Cross-Site Scripting (FIXED)](https://www.rapid7.com/blog/post/ve-cve-2026-31381-cve-2026-31382-gainsight-assist-information-disclosure-xss-fixed)
- [MDN: Window `pagereveal` event](https://developer.mozilla.org/en-US/docs/Web/API/Window/pagereveal_event)
- [How I Found a Critical OAuth Misconfiguration That Led to Account Takeover](https://medium.com/@iamshafayat/how-i-found-a-critical-oauth-misconfiguration-that-led-to-account-takeover-abfec43eaea6)


{{#include ../banners/hacktricks-training.md}}