in ,

Exploiting OAuth: Journey to Account Takeover

Most of the web and mobile applications these days use OAuth to secure their authorization endpoints. It allows them to easily grant access to their users to particular resources as per the application’s requirements.

This is a write-up of a chain of vulnerabilities (OAuth Misconfiguration, CSRF, XSS, and Weak CSP) that allowed me to take over a user account using a single interaction.

This was a usual Project Management Web Application, using Microsoft’s OAuth 2.0 to authorize their users to allow them access to the application. Let’s call it –

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Resources to help make you a better hacker

Burp Suite Cheat Sheet