Why does replaying auth code gives access to resources

[neodragonwarrior]

I believe Auth code grant flow is in use in the photoprint/gallery web application demo. I am sending response type=code in the request and in response , I am getting auth code, if I use this to access resources without providing client id+secret , am able to get access to resource pcitures . Am I missing something here or is it a flaw there ?

[koenbuyens]

This is called vulnerable application :)

On Tue, Apr 6, 2021 at 5:50 AM arunkumarvenugopal @.***> wrote:

I believe Auth code grant flow is in use in the photoprint/gallery web application demo. I am sending response type=code in the request and in response , I am getting auth code, if I use this to access resources with providing client id+secret , am able to get access to resource pcitures . Am I missing something here or is it a flaw there ?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/koenbuyens/Vulnerable-OAuth-2.0-Applications/issues/3, or unsubscribe https://github.com/notifications/unsubscribe-auth/AECCSHHT6RPCACDHVSEN26LTHLKOHANCNFSM42OMOJZQ .

[neodragonwarrior]

Yea I didn't forget that , but people tend to mistake it as Access token , where they actually replayed auth code , I saw youtube videos explaining Oauth flaws using this app that way . Here auth code itself is enough to grant access is not that a common vulnerability I thought. Anyways thanks much for the response , looking forward for more updates to this app , Great work