AppSec Tales IX | OAuth

Karol Mazurek
9 min readOct 22, 2022

Application Security Testing of the OAuth protocol guidelines.

INTRODUCTION

The article describes the Application Security Testing of the OAuth.
The advice in this article is based on the following:

TOOLING

Constantly update the tools.

BURP SUITE

Upgrade Burp Suite with the following extensions:

Source: https://github.com/portswigger/espresso
Source: https://github.com/portswigger/oauth-scan
  • pMDetector — searching for a misconfigured postMessage().

At the moment, the pMDetector extension is not in Bapp Store.
You have to download it from the link and manually add it:

Source: Own study — Adding custom Burp Extension.

RECON WORDLIST

When dealing with OAuth, it is common to see a particular domain for its purposes (for example, oauth.example.com). It is essential to perform a directory brute-forcing on both domains (OAuth & example.com).

  • Basic wordlist for OAuth detection:
/authorize
/oauth
/oauth/authorize
/oauth/device_authorize
/oauth/device/validate
/oauth/introspect
/oauth/token
/oauth/userinfo
/oauth/logout
/oauth2
/oauth2/authorize
/oauth2/device/validate
/oauth2/device_authorize
/oauth2/introspect
/oauth2/token
/oauth2/userinfo
/oauth2/logout
/.well-known/oauth-authorization-server
/.well-known/openid-configuration
/.well-known/jwks.json
/.well-known/webfinger
  • Directory bruteforcing wordlist…

--

--