How I Found a Critical OAuth Misconfiguration That Led to Ac...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://medium.com/@iamshafayat/how-i-found-a-critical-oauth-misconfiguration-that-led-to-account-takeover-abfec43eaea6
• Blog Title: How I Found a Critical OAuth Misconfiguration That Led to Account Takeover
• Suggested Section: Pentesting Web -> OAuth to Account takeover

🎯 Content Summary

The blog describes a critical OAuth 2.0 misconfiguration chain found during an authorized bug bounty assessment of a self-hosted/internal platform. No CVE is assigned. The impact was full account takeover of authenticated users by chaining exposed OAuth metadata, unauthenticated dynamic OAuth client registration, arbitrary redirect URI acceptance, weak client validation, PKCE abuse in an attacker-controlled flow, wildcard CORS, and normal OAuth consent interaction.

1. Recon...

🔧 Technical Details

OAuth metadata reconnaissance: Check /.well-known/oauth-authorization-server for exposed OAuth server metadata. Useful fields include authorization_endpoint, token_endpoint, registration_endpoint, response_types_supported, grant_types_supported, token_endpoint_auth_methods_supported, and code_challenge_methods_supported. A visible registration_endpoint indicates dynamic client registration may be available, while token_endpoint_auth_methods_supported containing none indicates public-client token exchange may be accepted.

Abusing open dynamic OAuth client registration: If an OAuth server exposes POST /api/v2/oauth/register or an equivalent dynamic registration endpoint without authentication, an attacker may create a malicious OAuth client. If arbitrary redirect_uris are ac...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/oauth-to-account-takeover.md

Added:

• OAuth metadata recon via /.well-known/oauth-authorization-server
• Detection of exposed registration_endpoint
• Abuse of unauthenticated dynamic client registration
• Attacker-controlled redirect_uris as a malicious-client ATO path
• Clear explanation that PKCE does not stop a malicious registered client
• Notes on broken pre-auth authorization behavior and wildcard CORS as an amplifier
• Blog URL in ## References

Validation:

• Reviewed diff and structure
• Confirmed ## References still exists and banner include remains at end
• mdbook build could not be executed because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://medium.com/@iamshafayat/how-i-found-a-critical-oauth-misconfiguration-that-led-to-account-takeover-abfec43eaea6

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> OAuth to Account takeover".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0