toolbox-pentest-web icon indicating copy to clipboard operation
toolbox-pentest-web copied to clipboard
verified publisher icon righettod

Script OAUTH/OIDC: Features to add

Open righettod opened this issue 4 years ago • 0 comments

Target

List of features

  • [x] Add detection of the support for the Hybrid flow.
  • [x] Add detection of the support of the claims parameter - See here.
  • [x] Add a test to enumerate the Audience parameter in order to discover audience defined in the STS.
  • [ ] Study the OIDC spec for additional interesting attack vector to check and add to the script.
  • [ ] Check if this talk contains missing attack surface. If yes then add them to the script.
  • [ ] Same approach with the RFC9101.

References

  • https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows
  • https://auth0.com/docs/flows/hybrid-flow
  • https://auth0.com/docs/flows/call-api-hybrid-flow
  • https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
  • https://openid.net/specs/openid-connect-core-1_0.html

Extra docs

image

image

image

image

image

righettod avatar Aug 13 '21 05:08 righettod