[This lab](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow) demonstrates how weak client-side validation in an OAuth **implicit flow** can be exploited to bypass authentication and log in as another user without their credentials. --- #### 1. Understanding the Scenario * **OAuth grant type**: Implicit flow (access token returned directly to the client without an authorization code exchange). * **Vulnerability**: The client application trusts the user identity returned from the OAuth provider without verifying it against the actual authenticated account. * **Goal**: Log in as `[email protected]`. --- #### 2. Reconnaissance – Mapping the OAuth Flow Using Burp Suite, we: 1. Navigated to **My account** → **Login with social media**. 2. Completed the OAuth login with provided creds (`wiener:peter`). 3. Observed the sequence in **Proxy > HTTP history**: * **Authorization request** ``` GET /auth?client_id=...&redirect_uri=...&response_type=token ``` This triggers the OAuth login screen on the social media service. * **Redirect with access token** ``` HTTP/1.1 302 Found Location: https://lab-url/#access_token=XYZ&token_type=Bearer&expires_in=3600 ``` * **Client-side processing** JavaScript extracts the `access_token` from the fragment and sends it to the blog application’s backend: ``` POST /authenticate HTTP/1.1 Host: lab-url Content-Type: application/json { "email": "[email protected]", "access_token": "XYZ" } ``` --- #### 3. Exploitation – Forging the Identity The flaw: The blog server **does not verify** that the supplied `email` matches the user associated with the access token from the OAuth provider. It simply trusts the `email` field from the client request. **Steps:** 1. Sent the `POST /authenticate` request to **Repeater**. 2. Modified: ```json { "email": "[email protected]", "access_token": "XYZ" } ``` 3. Sent the request — received `200 OK` with a `Set-Cookie` header (session cookie for Carlos). 4. Right-clicked → **Request in browser > In original session**. 5. Opened the generated URL — logged in as Carlos. It may be better for you to just intercept it. ![[CleanShot 2025-08-15 at [email protected]]]