SSRF due to misconfiguration in OAuth

What is "SSRF due to misconfiguration in OAuth?"

The "SSRF due to misconfiguration in OAuth" module is designed to detect the presence of Server-Side Request Forgery (SSRF) vulnerabilities caused by misconfigurations in OAuth implementations. This module targets software that utilizes OAuth for authentication and authorization. The severity of this vulnerability is classified as medium.

Author: KabirSuda

Impact

An SSRF vulnerability in OAuth can allow an attacker to make unauthorized requests to internal resources, potentially leading to information disclosure, remote code execution, or further attacks on the system.

How the module works?

The "SSRF due to misconfiguration in OAuth" module sends a POST request to the endpoint "/connect/register" to check for external interaction. The request includes multiple POST parameters, such as "application_type", "redirect_uris", "client_name", "logo_uri", "subject_type", "token_endpoint_auth_method", and "request_uris".

Example request:

POST /connect/register HTTP/1.1
Host: <Hostname>
Content-Type: application/json
Accept-Language: en-US,en;q=0.9

{
  "application_type": "web",
  "redirect_uris": ["https://<InteractionURL>/callback"],
  "client_name": "<Hostname>",
  "logo_uri": "https://<InteractionURL>/favicon.ico",
  "subject_type": "pairwise",
  "token_endpoint_auth_method": "client_secret_basic",
  "request_uris": ["https://<InteractionURL>"]
}

The module includes a matching condition that checks if the "interactsh_protocol" part of the response contains the word "dns". If this condition is met, it indicates the presence of an SSRF vulnerability due to misconfiguration in OAuth.

Reference: https://portswigger.net/research/hidden-oauth-attack-vectors

Metadata: max-request: 1