Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "SSRF due to misconfiguration in OAuth" module is designed to detect the presence of Server-Side Request Forgery (SSRF) vulnerabilities caused by misconfigurations in OAuth implementations. This module targets software that utilizes OAuth for authentication and authorization. The severity of this vulnerability is classified as medium.
Author: KabirSuda
An SSRF vulnerability in OAuth can allow an attacker to make unauthorized requests to internal resources, potentially leading to information disclosure, remote code execution, or further attacks on the system.
The "SSRF due to misconfiguration in OAuth" module sends a POST request to the endpoint "/connect/register" to check for external interaction. The request includes multiple POST parameters, such as "application_type", "redirect_uris", "client_name", "logo_uri", "subject_type", "token_endpoint_auth_method", and "request_uris".
Example request:
POST /connect/register HTTP/1.1
Host: <Hostname>
Content-Type: application/json
Accept-Language: en-US,en;q=0.9
{
"application_type": "web",
"redirect_uris": ["https://<InteractionURL>/callback"],
"client_name": "<Hostname>",
"logo_uri": "https://<InteractionURL>/favicon.ico",
"subject_type": "pairwise",
"token_endpoint_auth_method": "client_secret_basic",
"request_uris": ["https://<InteractionURL>"]
}
The module includes a matching condition that checks if the "interactsh_protocol" part of the response contains the word "dns". If this condition is met, it indicates the presence of an SSRF vulnerability due to misconfiguration in OAuth.
Reference: https://portswigger.net/research/hidden-oauth-attack-vectors
Metadata: max-request: 1