Lab 273 — AuthForge — SSRF via OAuth Dynamic Client Registration

hackadvisor

Task: OAuth 2.0 identity platform with Dynamic Client Registration (RFC 7591) where logo_uri is fetched server-side without SSRF protections. Solution: Registered OAuth client with logo_uri pointing to localhost:3001 internal metadata service, then accessed the logo endpoint to exfiltrate secrets including the flag.

ssrf nodejs nginx express internal_service localhost_access metadata_service oauth dynamic_client_registration rfc7591 logo_uri

ssrf_via_logo_urioauth_dynamic_client_registration_abuseinternal_metadata_service_accesslocalhost_ssrf

$ ls tags/ techniques/

ssrf nodejs nginx express internal_service localhost_access metadata_service oauth dynamic_client_registration rfc7591 logo_uri

ssrf_via_logo_urioauth_dynamic_client_registration_abuseinternal_metadata_service_accesslocalhost_ssrf

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 341 — KeyVault2FA — SSRF via OTP Account Import— hackadvisor
[web][Pro]Lab 282 — StreamForge — SSRF via Webhook Test Bypasses Proxy Auth— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor
[web][Pro]Lab 58 — ReportForge — SSRF via PDF Export Logo URL— hackadvisor
[web][Pro]Lab 267 — RestForge — SQL Injection in Dynamic Data Endpoint— hackadvisor