OAuth 2.0 has become the de facto standard for authorization across the web, powering login systems for millions of applications. However, its widespread implementation also creates a vast attack surface that security researchers can explore. This article details my methodology for OAuth attack surface mapping using URLScan.io’s powerful dorking capabilities—a technique that has helped me discover numerous security vulnerabilities in OAuth implementations.

While organizations invest significant resources in securing their main applications, OAuth integrations often receive less security scrutiny.

Understanding the OAuth Attack Surface

Before diving into the techniques, it’s important to understand what constitutes the OAuth attack surface. OAuth implementations typically include:

1. Authorization Endpoints: Where users are directed to grant permissions
2. Redirect URIs: Where users are sent after authorization
3. Token Endpoints: Where applications exchange authorization codes for access tokens
4. Resource Endpoints: Where applications use tokens to access protected resources
5. Client Registration: How applications register to use the OAuth service

Each of these components presents unique security challenges and potential vulnerabilities:

• Improper redirect URI validation
• Insufficient state parameter validation
• Token leakage through referrer headers
• Insecure token storage
• CSRF vulnerabilities in authorization flows
• Open redirects in OAuth callbacks

Effective OAuth attack surface mapping involves identifying these components across target applications and methodically testing them for security weaknesses.

URLScan.io: A Powerful Tool

URLScan.io is a service that scans and analyzes websites, providing detailed information about the resources they request, the responses they receive, and various security-relevant aspects. While it’s primarily designed for website analysis, its advanced search capabilities make it an excellent tool.

Why?

1. Massive Dataset: URLScan maintains a database of millions of scanned websites
2. Historical Data: Captures OAuth flows that may no longer be actively used
3. Query Capabilities: Powerful search syntax for targeted discovery
4. Metadata Collection: Captures HTTP headers, JavaScript resources, and redirect chains
5. Public Access: Basic functionality available without cost

Essential URLScan Dorking Techniques

Dorking refers to using advanced search queries to find specific information within a search engine or database. We can use specialized URLScan queries to uncover OAuth implementations across the web.

Technique 1: Discovering OAuth Authorization Endpoints

To find authorization endpoints for specific OAuth providers, use queries like:

Provider: page.url:"oauth" AND page.url:"authorize" AND domain:"target.com"

This query identifies pages with “oauth” and “authorize” in the URL within the target domain, which typically indicates OAuth authorization endpoints.

For more specific providers, try:

Google: page.url:"google" AND page.url:"oauth" AND domain:"target.com"
Facebook: page.url:"facebook" AND page.url:"oauth" AND domain:"target.com"
Github: page.url:"github" AND page.url:"oauth" AND domain:"target.com"

Technique 2: Finding Redirect URIs

Redirect URIs are critical components because they often contain implementation flaws. To find them:

redirect_uri: page.url:"redirect_uri" AND domain:"target.com"
callback: page.url:"callback" AND domain:"target.com"

More specifically, for OAuth state parameters (which should be used to prevent CSRF attacks):

page.url:"state=" AND page.url:"code=" AND domain:"target.com"

Technique 3: Identifying OAuth Token Endpoints

Token endpoints are where applications exchange authorization codes for access tokens:

token: page.url:"token" AND page.url:"oauth" AND domain:"target.com"

For more comprehensive results:

page.url:"token" AND (page.url:"oauth" OR page.url:"auth") AND domain:"target.com"

Technique 4: Discovering OAuth Client IDs

Client IDs can be valuable because they help identify registered applications:

client_id: page.url:"client_id=" AND domain:"target.com"

For specific providers:

page.url:"client_id=" AND page.url:"google" AND domain:"target.com"

Technique 5: Finding OAuth Implementations in JavaScript

OAuth configurations are often stored in JavaScript files:

response.body:"oauth" AND response.body:"clientId" AND domain:"target.com"

This finds JavaScript files containing OAuth-related configuration parameters.

Advanced OAuth Attack Surface Mapping Strategies

Strategy 1: Chaining Multiple Dorks

By combining multiple queries, you can build a comprehensive map of a target’s OAuth infrastructure:

1. Start by identifying all OAuth providers used by the target: page.url:"oauth" AND domain:"target.com"
2. For each provider, find specific implementation details: page.url:"[provider]" AND page.url:"oauth" AND domain:"target.com"
3. Look for redirect URIs for each provider: page.url:"redirect_uri" AND page.url:"[provider]" AND domain:"target.com"

Strategy 2: Analyzing Historical Data

URLScan’s historical data can reveal OAuth implementations that may have been removed from the current site but might still be accessible:

oauth: page.url:"oauth" AND domain:"target.com" AND date:<2022-01-01

Compare with recent data to identify potentially forgotten OAuth flows:

page.url:"oauth" AND domain:"target.com" AND date:>2023-01-01

Strategy 3: Examining Related Subdomains

OAuth vulnerabilities often exist in less-maintained subdomains:

domain:"*.target.com" AND page.url:"oauth"

This finds OAuth implementations across all subdomains of the target.

Real-World Case Study

To demonstrate the effectiveness of OAuth attack surface mapping using URLScan dorking, I’ll share a redacted case study from a recent bug bounty engagement.

Target Profile

• Large financial services company with numerous web properties
• Multiple third-party OAuth integrations
• Several acquisitions with potentially inconsistent security practices

OAuth Attack Surface Mapping Process

1. Initial Discovery: Using domain:"*.target.com" AND page.url:"oauth", I identified 17 different subdomains with OAuth implementations.
2. Provider Analysis: Further queries revealed they used four primary OAuth providers: Google, Facebook, Microsoft, and their own custom OAuth service.
3. Vulnerability Identification: On one subdomain belonging to a recent acquisition, I found an OAuth implementation with: page.url:"redirect_uri=" AND page.url:"code=" AND domain:"acquired-company.target.com"
4. Exploit Development: The implementation failed to validate the redirect_uri parameter properly, allowing arbitrary redirects with the authorization code.
5. Impact Assessment: This vulnerability allowed account takeover by stealing the authorization code through a malicious redirect.

Resolution

The bug was reported through their bug bounty program and fixed within 48 hours, with a substantial bounty awarded due to the high impact of the vulnerability.

Common OAuth Vulnerabilities Discovered

When conducting OAuth attack surface mapping, look for these common vulnerabilities:

1. Improper Redirect URI Validation
   • Accepting arbitrary subdomains
   • Path traversal in redirect URIs
   • Open redirects in OAuth flows
2. Missing State Parameter
   • No CSRF protection in authorization requests
   • Predictable state parameters
3. Token Exposure
   • Access tokens leaked in URLs
   • Tokens exposed in referrer headers
   • Improper token storage
4. Scope Misconfigurations
   • Overly permissive scopes
   • Missing scope validation
5. Client Secret Exposure
   • JavaScript
   • Mobile apps
   • GitHub repositories

Tools to Enhance

While URLScan dorking is powerful, combining it with these tools can enhance your OAuth attack surface mapping:

1. Burp Suite: For intercepting and modifying OAuth requests
2. OWASP ZAP: For automated scanning of OAuth endpoints
3. Postman: For crafting custom OAuth requests
4. OAuth 2.0 Debugger: For analyzing OAuth flows
5. JWT Decoder: For examining token contents

Best Practices

When conducting OAuth attack surface mapping, follow these guidelines:

1. Respect Legal Boundaries
   • Only test systems you have permission to test
   • Follow responsible disclosure policies
   • Don’t exploit vulnerabilities beyond proof-of-concept
2. Minimize Impact
   • Avoid testing with production accounts
   • Don’t extract or exfiltrate sensitive data
   • Limit requests to prevent service disruption
3. Document Thoroughly
   • Record all testing activities
   • Maintain clear evidence of vulnerabilities
   • Provide detailed reproduction steps

Conclusion

As OAuth continues to evolve and adoption increases, OAuth attack surface mapping will remain a valuable technique for security researchers. The OAuth 2.1 specification aims to address many common vulnerabilities, but implementation flaws will persist as organizations struggle to implement security best practices consistently.

By mastering URLScan dorking techniques for it, security researchers can discover vulnerabilities that automated scanners might miss, helping organizations secure their authentication systems before malicious actors can exploit them.

The dynamic nature of web applications and continuous deployment practices means the OAuth attack surface is constantly changing. Regular do it can help security teams stay ahead of emerging threats and vulnerabilities.

Remember that the goal of OAuth attack surface mapping is not just to find vulnerabilities but to improve the overall security posture of authentication systems that millions of users rely on daily.

---

This article is intended for educational purposes and to help security professionals and bug bounty hunters improve their skills. Always obtain proper authorization before performing security testing on any system.