Application Security Testing of the OAuth protocol guidelines.
The article describes the Application Security Testing of the OAuth.
The advice in this article is based on the following:
- OWASP Web Security Testing Guide
- OWASP Application Security Verification Standard
- NIST recommendations
- Bug bounty reports
- Portswigger Academy
- Own experience.
Constantly update the tools.
Upgrade Burp Suite with the following extensions:
- pMDetector — searching for a misconfigured postMessage().
At the moment, the pMDetector extension is not in Bapp Store.
You have to download it from the link and manually add it:
When dealing with OAuth, it is common to see a particular domain for its purposes (for example, oauth.example.com). It is essential to perform a directory brute-forcing on both domains (OAuth & example.com).
- Basic wordlist for OAuth detection:
- Directory bruteforcing wordlist…