AppSec Tales IX | OAuth

Application Security Testing of the OAuth protocol guidelines.

INTRODUCTION

The article describes the Application Security Testing of the OAuth.
The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• Bug bounty reports
• Portswigger Academy
• Own experience.

TOOLING

Constantly update the tools.

BURP SUITE

Upgrade Burp Suite with the following extensions:

• EsPReSSO

Source: https://github.com/portswigger/espresso

• OAuth Scan

Source: https://github.com/portswigger/oauth-scan

• pMDetector — searching for a misconfigured postMessage().

At the moment, the pMDetector extension is not in Bapp Store.
You have to download it from the link and manually add it: