DevRelay — Open Redirect in OAuth Authorization

hackadvisor

Task: DevRelay API platform uses OAuth 2.0 Authorization Code flow with no redirect_uri validation, plus an admin bot that visits user-submitted URLs. Solution: Craft malicious OAuth authorize URL redirecting the admin's auth code to a Request Bin, exchange the code for an access token, and access /api/admin/secrets.

nodejs session_hijacking nginx express admin_bot oauth2 open_redirect authorization_code_flow request_bin token_exchange

admin_bot_exploitationoauth_redirect_uri_open_redirectauthorization_code_interceptionrequest_bin_exfiltrationoauth_token_exchange

$ ls tags/ techniques/

nodejs session_hijacking nginx express admin_bot oauth2 open_redirect authorization_code_flow request_bin token_exchange

admin_bot_exploitationoauth_redirect_uri_open_redirectauthorization_code_interceptionrequest_bin_exfiltrationoauth_token_exchange

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor
[web][Pro]Lab 406 — PingRelay — Prototype Pollution to SSRF via CRLF Header Injection— hackadvisor
[web][Pro]Lab 348 — Connectify — IDN Homograph OAuth Open Redirect— hackadvisor
[web][Pro]Lab 4 — EdgeRelay — HTTP Request Smuggling via CL-TE Desync— hackadvisor
[web][Pro]Lab 173 — ConnectHub — OAuth Open Redirect via URL Userinfo Bypass— hackadvisor