> For the complete documentation index, see [llms.txt](https://blog.dhilipsanjay.in/ctfs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.dhilipsanjay.in/ctfs/portswigger-academy/portswiggeracademy/lab1.md). # Authenication bypass via OAuth implicit flow **Date:** 27, July, 2021 **Author:** Dhilip Sanjay S *** ## Task * This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password. * To solve the lab, log in to Carlos's account. His email address is `carlos@carlos-montoya.net`. * You can log in with your own social media account using the following credentials: `wiener:peter`. *** ## Solution * Modify the email address in the POST request to `/authenticate` endpoint: ![Implicit - Authentication Bypass](/files/2zlcwnSIujN1WSTe4MVL) * The application probably verifies the token, but doesn't verify that the token belongs to the corresponding **email**. * If you go to `My account`, you can see that you are logged in as Carlos. ![Solved](/files/CQFRw32LaOYN7hSrPENu) *** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.dhilipsanjay.in/ctfs/portswigger-academy/portswiggeracademy/lab1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.