Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Authentication bypass via OAuth implicit flow - Request Not going through Burp Proxy.

Subhajit | Last updated: Feb 02, 2021 12:03PM UTC

While doing this lab, when i login, after this request (GET /oauth-callback HTTP/1.1), the website is unable to send the (POST /authenticate) request. I tried in mozilla and Chrome. Whenever the oauth-callback request is sent i can see the (oauth-callback#access_token=xxxxxx&expires_in=3600&token_type=Bearer&scope=openid profile email) in the url. But that request is not goiing through the proxy. It turns into a blank white page. When i turn off the proxy it completes the request without any issue and i get logged in. Don't know why this is happening?

Uthman, PortSwigger Agent | Last updated: Feb 02, 2021 12:16PM UTC

Hi Subhajit, Do you have intercept turned on in Burp?

Rene | Last updated: Feb 06, 2021 11:27PM UTC

Hello Uthman, I am experiencing the same issue and I can confirm, that the intercept is not turned on and I am using the the standard config in the options tab. Thanks! René

Ben, PortSwigger Agent | Last updated: Feb 08, 2021 03:13PM UTC

Hi, I have just run through this lab using Firefox and was able to complete it successfully. What browser are you currently using?

Rene | Last updated: Feb 21, 2021 04:17PM UTC

Hi, I tried both Firefox 83.0 (64-bit) (Mac) and the one delivered with the Burp Community Edition 2020.2.1. Thanks, René

Rene | Last updated: Feb 21, 2021 04:17PM UTC

Hi, I tried both Firefox 83.0 (64-bit) (Mac) and the one delivered with the Burp Community Edition 2020.2.1. Thanks, René

Rene | Last updated: Feb 21, 2021 04:17PM UTC

Hi, I tried both Firefox 83.0 (64-bit) (Mac) and the one delivered with the Burp Community Edition 2020.2.1. Thanks, René

Ben, PortSwigger Agent | Last updated: Feb 22, 2021 08:49AM UTC

Hi, Just to clarify - are you having the same issue as the original poster? If not, are you able to provide us with some details of the issue that you are facing with this particular lab?

Choo | Last updated: Jun 29, 2021 04:16AM UTC

Hi I have the exact same issue as the original poster with the OAUTH labs. I am able to intercept and clear other labs, but not this. It always get stuck at with white screen at .../oauth-callback#access_token=...&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email The browsers I have tried: a) Chromium Version 91.0.4472.114 (Official Build) (64-bit) launch from Burp Suite Community b) Firefox 75.0 (64-bit)

Choo | Last updated: Jun 29, 2021 05:11AM UTC

Correction: The URL on the browser is shown as .../oauth-callback#access_token=...&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email However in the HTTP History, the last request (following /oauth-callback) is OPTIONS /me HTTP/1.1 The response to OPTIONS /me is "HTTP/1.1 204 No Content"

Ben, PortSwigger Agent | Last updated: Jun 30, 2021 07:38AM UTC

Hi, Are you able to replicate this issue and send us an email at support@portswigger.net with some screenshots of what you are seeing so that we can see exactly what is happening? Unfortunately, we have not yet been able to replicate this particular issue so it would be useful to have some further information in order to aid us with this one.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.