Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Bug in "Authentication bypass via OAuth implicit flow" lab

KingCrab | Last updated: May 21, 2022 11:41AM UTC

The lab returns 500 error during replay request to /authenticate endpoint with Carlos email. According to solution there is should not be error and i must get the authentication cookie.

Ben, PortSwigger Agent | Last updated: May 23, 2022 12:32PM UTC

Hi, Are you able to provide us with some specific details of the POST /authenticate request that you are issuing so that we can see exactly what you are sending? I have just run through this lab and been able to solve it successfully using the solution provided so it does appear to be working as expected.

KingCrab | Last updated: May 23, 2022 09:53PM UTC

POST /authenticate HTTP/1.1 Host: ac591f4f1e9721e4c0482a7200a800b4.web-security-academy.net Cookie: session=VKVzGNXgnKeK28VgF1qXMxTvKyn9zeSf User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ac591f4f1e9721e4c0482a7200a800b4.web-security-academy.net/oauth-callback Content-Type: application/json Origin: https://ac591f4f1e9721e4c0482a7200a800b4.web-security-academy.net Content-Length: 103 Te: trailers Connection: close {"email":"carlos@carlos-montoya.net","username":"wiener","token":"-dFTJaV4pUAlS6kjEGjDdnqX7bdeWoNYwLkzgJJKaAT"}

KingCrab | Last updated: May 23, 2022 09:59PM UTC

My POST request - same as a request from Burp Proxy I am solved the lab using Interceptor and NEVER finished the Wiener authorization before it. I have 500 error only in cases then I trying to replay requests instead of changing live requests in Interceptor.

Ben, PortSwigger Agent | Last updated: May 24, 2022 08:25AM UTC

Hi, Thank you for that. To confirm, you are simply sending this POST request from the proxy history to Repeater and are then only altering the email parameter in the JSON body (you are not touching the token value)? Out of interest, do you have any extensions installed?

KingCrab | Last updated: May 28, 2022 12:17PM UTC

Yep, simple send request without any changes except email. I have only Param Miner and Padding Oracle Hunter installed. P.S. I rechecked the lab and founded that my request did not update Content-Length value. Looks like a problem may be related to this.

Michelle, PortSwigger Agent | Last updated: May 30, 2022 09:23AM UTC

Thanks for the update. If you disable the extensions you have installed, do you see the same issue? (The labs will be unavailable between 8 am and 4 pm BST on Monday 30th May to allow for some changes to the infrastructure)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.