Facebook Oauth

Facebook Oauth Misconfiguration

Account Takeover

1. Authenticated via Facebook

2. Click “Edit Access” and uncheck the permission to share email address with the application. Then click “Continue”

3. The app didn’t receive email from Facebook, it redirect back and prompt to manually enter an email address.

   Type: victim@example.com No verification, No confirmation email

   The app immediately log you in as the victim

References

Account Takeover via Facebook OAuth MisconfigurationMedium

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.