Open in app

Sign in

Write

Sign in

Solving Burp suite lab Authentication bypass via OAuth implicit flow

Vishal
3 min readMay 24, 2024

If you want the very basic understanding of Oauth and its various flows, please reefer previous write-up.

In this write-up, we will try to solve the lab authentication bypass via Oauth implicit flow.

So as per instructions this lab uses Oauth to allow users to log in with their social media account.

To solve the lab, we need to log in to Carlo’s account. Lab has provided use with another user credentials. Let’s first check the flow of Oauth using burp suite for user wiener.

  1. User clicked on My Account tab to login and he received a message saying redirecting you to login with social media ...

2. After that you will see the GET request to authorization server, this is sent by client application.

Request to Oauth service’s authorization endpoint

In above request, you can see:

Client_id: This is the mandatory parameter containing the unique identifier of the client application.

redirect_uri: The URI to which the user’s browser should be redirected when sending the authorization code to the client application. This is also known as the “callback URI” or “callback.

response_type: Determines which kind of response the client application is expecting and, therefore, which flow it wants to initiate. In this code it is token i.e. implicit.

scope: Used to specify which subset of the user’s data the client application wants to access. In current example it is the email.

The response to above GET request is 302 redirect. And then user will see a login page. Here we used wiener as username and peter as password.

Once user provide credentials, you will see a consent page like this:

Once you clicked Contine, you will see a POST request:

After that you will see a 302 redirect.

You can see the value of access_token in above response. After this, there is a POST request to authenticate end-point. Notice the email,username and token in POST body.

User successfully logged in to his account.

Now if you notice in above POST request, we can tamper the email ID and if application does not validate the email and only validate the token we may get access to the user carlo’s account. Let’s try this. Repeat the whole process still login and when you see above request in burp, tamper that Change the email is with that of Carol’s i.e. carlos@carlos-montoya.net.

Original Request
Tampered request

You can see we are able to login with the user Carlos.

This is how you can solve the lab, the lab did not check the email here and trust the token.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vishal
Vishal

Written by Vishal

14 Followers
1 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams