# Authentication bypass via OAuth implicit flow This is a writeup for a challenge from PortSwigger's [Web Security Academy](https://portswigger.net/web-security/). In this one, we will learn how a misconfigured OAuth authentication can be bypassed. ### **Objective** > *This lab uses an OAuth service to allow users to log in with their social media account. Flawed validation by the client application makes it possible for an attacker to log in to other users' accounts without knowing their password.* > *To solve the lab, log in to Carlos's account. His email address is* [`carlos@carlos-montoya.net`](mailto:carlos@carlos-montoya.net). > *You can log in with your own social media account using the following credentials:* `wiener:peter`. ### **Solving the challenge** We will start with launching our challenge [here](https://portswigger.net/web-security/all-labs#oauth-authentication). Give it a few seconds, and your browser will generate something like that: ![](https://telegra.ph/file/9cc3acb3801a1475b8ad1.png align="center") Make sure that you are capturing your traffic with Burp. We will navigate to the `My account` section and login with `wiener:peter` credentials Let's authorize this request and see how it looks in Burp: ![](https://telegra.ph/file/0ba51d1a14ace0e7215ad.png align="center") It starts with a `GET` request for `/auth/` ![](https://telegra.ph/file/f7373b12a53a8e2f22a03.png align="center") And ended up with `POST` request with some input date in the body: ![](https://telegra.ph/file/a7050f15311c155d4c68c.png align="center") Interesting. We can replace the email address with the target one, and this `POST` request will not cause the error message: ![](https://telegra.ph/file/bc67354829b73187e53fe.png align="center") To solve the lab, we can right-click on a request and select `Request in browser` - `In the original session`: ![](https://telegra.ph/file/88cabec5c79d096b146d3.png align="center") Copy the URL that Burp will generate for you and paste it to the browser: ![](https://telegra.ph/file/1a1c0b579e5d649db14d2.png align="center") Congrats! You successfully bypassed OAuth authentication!