CTF Writeups
Tools and Payloads
TryHackMe
- TryHackMe Overview
HackTheBox
- HackTheBox Overview
HackTheBox Academy
- HTB Academy Overview
PortSwigger Academy
- PortSwigger Overview
2021 CTFs
2020 CTFs
- VulnCon2020 Overview

Powered by GitBook

On this page

Task
Solution

PortSwigger Academy

PortSwigger Overview

Authenication bypass via OAuth implicit flow

PreviousPortSwigger Overview NextForced Oauth Profile Linking

Last updated 11 months ago

Date: 27, July, 2021

Author: Dhilip Sanjay S

Task

This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.
To solve the lab, log in to Carlos's account. His email address is carlos@carlos-montoya.net.
You can log in with your own social media account using the following credentials: wiener:peter.

Solution

Modify the email address in the POST request to /authenticate endpoint:

The application probably verifies the token, but doesn't verify that the token belongs to the corresponding email.
If you go to My account, you can see that you are logged in as Carlos.