OAuth2: Github HTTP HEAD

This exercise covers the exploitation of the HTTP HEAD issue impacting Github in 2019

< 1 Hr.


In this course, we delve into the exploitation of an insecure OAuth2 Authorization Server. The vulnerability arises from a combination of weaknesses, including how Rails handles HTTP GET and HTTP HEAD requests, and the Github source code's use of the same method for GET and POST requests. This flaw allows a malicious user to bypass CSRF protection and trick a victim into authorizing an application without their consent.

You'll go through the process of exploiting this vulnerability by registering an OAuth application, setting up a malicious web page, and obtaining a token to access protected resources. This exercise underscores the importance of thoroughly understanding OAuth2 implementations to identify and rectify potential security issues before they can be exploited.

Want to learn more? Get started with PentesterLab Pro! GO PRO