Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Authentication bypass via OAuth implicit flow

Natan | Last updated: Mar 12, 2021 01:35PM UTC

Lab: Authentication bypass via OAuth implicit flow is broken :/ It gives SessionNotFound: invalid_request error when I try to login in your own "social media"

Natan | Last updated: Mar 12, 2021 02:48PM UTC

Not only this lab.In other OAuth labs your OAuth service is down too :(

Michelle, PortSwigger Agent | Last updated: Mar 12, 2021 03:36PM UTC

Thanks for your message. I've just launched the lab 'Authentication bypass via OAuth implicit flow' and was able to login with the social media credentials given in the lab description. If you're still having problems can you share a few more details on the steps you're taking when you see the issue, please?

Natan | Last updated: Mar 12, 2021 04:15PM UTC

Still dont work:( 1)Clicking 'My account' 2)After this message 'We are now redirecting you to login with social media...' and redirect 3)SessionNotFound: invalid_request at Provider.getInteraction (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/layer.js:95:5) at next (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/layer.js:95:5) at next (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/usr/local/nvm/versions/node/v12.19.0/lib/node_modules/express/lib/router/layer.js:95:5) No login page 4 me

Michelle, PortSwigger Agent | Last updated: Mar 12, 2021 05:32PM UTC

I'm sorry to hear that. I've tested a few times now and I'm afraid I can't replicate the issue. Does this still happen if you let the lab timeout/log out of the Academy and go back to it? Could you email some screenshots to support@portswigger.net, please?

Natan | Last updated: Mar 13, 2021 06:06AM UTC

Still dont work. Have sent you some screenshots

Alaa | Last updated: Mar 23, 2021 02:05AM UTC

hey, I had the same problem I fixed it with changing the browser I use to solve these labs. try another browser which you hadn't logged in with wiener:peter credentials inside these labs.

Aneesh | Last updated: Mar 30, 2021 06:08PM UTC

im also having the same issue :( this is my first day in portswigger and theres an error, first impression is gone

Michelle, PortSwigger Agent | Last updated: Mar 31, 2021 11:18AM UTC

Thanks for your message.

We've just tested accessing the lab using both Chrome and Firefox and it allows us to login without any errors. Could you take a screen recording of what you are seeing and email it to support@portswigger.net so we can take a look, please?

Dragon | Last updated: May 05, 2021 12:35PM UTC

Hi there :) i have the same problem. What i realise its a diffrent urls : 1)when im accessing the lab url is https://ac161fc91eb4460d81517bd0001e001c.web-security-academy.net/ 2)when im clicking "My account" im redirected to https://acaf1fd21ec7462b81127b9202eb00fb.web-security-academy.net/interaction/5aAtqC6TzIUIS99-qF6Xx I can provide some screenshot just give me mail or add this option to post (would be realy nice and simple to be able to put attachment to the post) Have a nice day :) waiting for the reply

Michelle, PortSwigger Agent | Last updated: May 06, 2021 09:05AM UTC

Hi The redirect is intentional in this case, it redirects to the other server as part of the login process. You can see the same behavior in the community solution video on the lab description page. I've tested the same lab and I'm afraid I've not been able to replicate your issue. If you're still having problems could you email us a screen recording of all the steps you are taking to get to this point and email it to support@portswigger.net, please?

Dragon | Last updated: May 07, 2021 09:26AM UTC

Hi, Michelle. Thank you for reply. I've sent a mail.... right now i'm going to send another one more detailed video. Have a good day and let me know if you will need anything else

Michelle, PortSwigger Agent | Last updated: May 07, 2021 09:46AM UTC

Hi Thanks for sending that over, it's arrived safely so we'll take a look and be in touch once we've run some more tests :) Could you also create a new project file for one of these labs showing this happening and send us the project file, please?

Dragon | Last updated: May 07, 2021 10:24AM UTC

hello again :) unfortunately i cannot send you project file :( i would love to but i have community edition Burp. So i dont have that type of options.

Michelle, PortSwigger Agent | Last updated: May 07, 2021 10:28AM UTC

That's ok, don't worry, thank you for the videos! The second one has arrived now so we'll take a look through those this afternoon and be in touch :)

Dragon | Last updated: May 07, 2021 10:37AM UTC

thank you very much :) and really sorry for bothering what can i say.... im a beginner

Michelle, PortSwigger Agent | Last updated: May 07, 2021 12:15PM UTC

Hi From the videos, I can see some differences in the requests when you complete the lab to when I complete the lab. I've just sent you an email with a couple more tests to try so we can see if we can find out why this would be. Thanks again for the information you've sent over so far :)

Dragon | Last updated: May 07, 2021 12:28PM UTC

i got it. and already replied back :)

Dragon | Last updated: May 20, 2021 06:52AM UTC

Hi Michelle, sorry for late reply... holidays. So back to our last chat. I checked m BApp and i had 2 apps:HTTP Request Smuggler and Param Miner. I deleted both of them but the error still there :(

Michelle, PortSwigger Agent | Last updated: May 20, 2021 08:05AM UTC

I hope you had a good holiday :) Would you mind sending a new video showing the requests you see when the BApps are disabled so I can compare them against the ones I see and check for the differences I noticed before?

Dragon | Last updated: May 20, 2021 09:28AM UTC

Hi again :) i Sent the video. And about BApps... i did disable it at first but when it didnt help i deleted it completely.

Dragon | Last updated: May 25, 2021 01:04PM UTC

Hi, Michelle :) hope you are all good :) i sent you another video with intercept on all the way from the start. Enjoy

Dragon | Last updated: May 26, 2021 09:42AM UTC

Hi, Michelle! How are you doing? I sent you a screenshot :) Have a good day

Dragon | Last updated: May 26, 2021 09:42AM UTC

Hi, Michelle! How are you doing? I sent you a screenshot :) Have a good day

Michelle, PortSwigger Agent | Last updated: May 27, 2021 07:30AM UTC

Thanks! I'll have a look through and see if we can replicate it :)

Ishan | Last updated: Jul 14, 2021 05:20PM UTC

I am having the same issue, from a very long time I've been having this issue but now I finally decided to report this. Please tell me how can I solve this problem, I am using firefox.

ImSchatten360 | Last updated: Jul 15, 2021 09:17AM UTC

Same issue here. Behaviour is exactly as Natan described it: 1)Clicking 'My account' 2)After this message 'We are now redirecting you to login with social media...' and redirect 3)SessionNotFound: invalid_request ... Kali/Firefox

ImSchatten360 | Last updated: Jul 15, 2021 09:17AM UTC

Same issue here. Behaviour is exactly as Natan described it: 1)Clicking 'My account' 2)After this message 'We are now redirecting you to login with social media...' and redirect 3)SessionNotFound: invalid_request ... Kali/Firefox

Ben, PortSwigger Agent | Last updated: Jul 15, 2021 11:05AM UTC

Hi both, Do you have the ability to use another browser? If so, can we just check whether you see the same behaviour if you use a different browser (Chrome, for example)?

ImSchatten360 | Last updated: Jul 15, 2021 01:10PM UTC

I just tested it with Chromium (same computer) and I did not get any errors. It just seems to work as intended.

wiiz4rd | Last updated: Dec 19, 2021 12:04PM UTC

The problem "SessionNotFound: invalid_request error" of this laboratory with Firefox remains today. If i use Chromium - there is no problem.

Michelle, PortSwigger Agent | Last updated: Dec 20, 2021 02:14PM UTC

Thanks for your message. Whilst we have had a few reports of this issue we have not been able to replicate using Firefox here so we think this may be related to the version of Firefox you are using or the settings within Firefox, so if you are having issues we would recommend using Burp's embedded browser for this lab. I hope this helps and that you're enjoying the labs.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.