Lab 35 — GateKeeper SSO — Open Redirect via Regex URI Validation

hackadvisor

Task: OAuth 2.0 SSO platform with regex-based redirect_uri validation where dot is unescaped, admin bot visits support ticket URLs. Solution: Bypass redirect_uri regex by replacing dot with dash, capture admin's authorization code via callback tester, exchange for access token to retrieve flag from userinfo endpoint.

jwt admin_bot oauth2 regex_bypass open_redirect sso openid_connect redirect_uri authorization_code callback_tester

admin_bot_exploitationregex_dot_bypassredirect_uri_validation_bypassoauth_authorization_code_thefttoken_exchange

$ ls tags/ techniques/

jwt admin_bot oauth2 regex_bypass open_redirect sso openid_connect redirect_uri authorization_code callback_tester

admin_bot_exploitationregex_dot_bypassredirect_uri_validation_bypassoauth_authorization_code_thefttoken_exchange

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 348 — Connectify — IDN Homograph OAuth Open Redirect— hackadvisor
[web][Pro]Lab 173 — ConnectHub — OAuth Open Redirect via URL Userinfo Bypass— hackadvisor
[web][free]SSOS— hackthebox
[web][Pro]Lab 80 — GateGuard — SQL Injection in Organization Filter API— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor