Lab link.
We log in and when we log out and log in again, we see that we can log in without entering any login information. We pass the “GET /auth?client_id” request to the repeater and experiment with the redirect_uri parameter.
When we change the value of the redirect_uri parameter, we do not get an error, which indicates that the necessary precautions have not been taken on the OAuth side.
We replace redirect_uri with our exploit server URL to check if authorization codes are exposed.
Authorization codes can be leaked. We create an iframe on our exploit server. iframe src is the URL in our GET auth request, but redirect_uri should be the exploit server URL.
After checking the iframe, we do “Deliver exploit to the victim” and paste the token “oauth-callback?code=” in the access log section and become an admin.
https://YOUR-LAB-ID.web-security-academy.net/oauth-callback?code=STOLEN-CODE
a