Portswigger OAuth authentication Labs
Portswigger Academy OAuth authentication Labs

Introduction

What?

The basic OAuth process is widely used to integrate third-party functionality that requires access to certain data from a user’s account. For example, an application might use OAuth to request access to your email contacts list so that it can suggest people to connect with. However, the same mechanism is also used to provide third-party authentication services, allowing users to log in with an account that they have with a different website.

Why?

OAuth 2.0 is popular with attackers because it is both extremely common and inherently prone to implementation mistakes. This can result in a number of vulnerabilities, allowing attackers to obtain sensitive user data and potentially bypass authentication completely.

How?