Web Interfaces
Authentication Forms
Protected Pages
- Basic Auth Required
- Session Required (logged_in: true)
- 2FA Session Required (2fa_logged_in: true)
- Secret Header Required
- Secret Cookie Required
Vulnerable Tools
GraphQL Query
Execute GraphQL queries against the API
GraphQL Injection
No Depth Limiting
WAF Block Simulation
Simulates a Web Application Firewall blocking a request (HTML page + JSON API)
WAF
OAuth2 Testing Guide
This lab implements two OAuth2 grant types: Authorization Code (user login via browser + API token exchange) and Client Credentials (pure API, machine-to-machine, no user involved). Multiple intentional vulnerabilities are present for pentest practice.
How the Authorization Code Flow Works
1
User clicks "Login with OAuth2" Browser
Client app redirects the user's browser to the authorization server
GET /web/oauth2/authorize?response_type=code&client_id=vulapp-client-001&redirect_uri=/web/oauth2/callback&scope=read+profile&state=random123
▼
2
User authenticates and grants consent Browser
The authorization server shows a login form and permission consent screen. The user enters credentials (admin / easypassword) and clicks "Authorize".
▼
3
Server redirects back with authorization code Browser
The browser is redirected to the callback URL with a short-lived authorization code in the URL.
/web/oauth2/callback?code=abc123def456&state=random123
▼
4
Client exchanges code for access token API
Server-to-server POST request. The client sends the authorization code, client credentials, and gets back an access token.
POST /api/v1/oauth2/token
▼
5
Client accesses protected resources API
The client uses the Bearer token to call API endpoints on behalf of the user.
GET /api/v1/oauth2/userinfo (Authorization: Bearer <token>)
How Client Credentials Works (API-only)
No browser, no user, no redirects. The application authenticates as itself with a single API call and gets a token back. Used for machine-to-machine communication.
1
Client sends credentials directly API
POST with client_id, client_secret, and desired scope. No user interaction needed.
POST /api/v1/oauth2/token (grant_type=client_credentials)
▼
2
Client uses token to call APIs API
The token represents the application itself (not a user). The username will be "service-account-vulapp-client-001".
GET /api/v1/oauth2/userinfo (Authorization: Bearer <token>)
Try it: Client Credentials (curl)
# Step 1: Get a token with client credentials curl -X POST http://localhost:5000/api/v1/oauth2/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "client_credentials", "client_id": "vulapp-client-001", "client_secret": "super-secret-client-secret", "scope": "read profile" }' # Response: # { # "access_token": "a1b2c3d4e5f6...", # "token_type": "Bearer", # "expires_in": 3600, # "scope": "read profile" # }
# Step 2: Use the token to access protected resources curl http://localhost:5000/api/v1/oauth2/userinfo \ -H "Authorization: Bearer <ACCESS_TOKEN>" # Response: # { # "sub": "service-account-vulapp-client-001", # "username": "service-account-vulapp-client-001", # "email": "service-account-vulapp-client-001@vulapp.local", # "scope": "read profile" # }
# Try it: request any scope you want (vulnerability #7)
curl -X POST http://localhost:5000/api/v1/oauth2/token \
-H "Content-Type: application/json" \
-d '{
"grant_type": "client_credentials",
"client_id": "vulapp-client-001",
"client_secret": "super-secret-client-secret",
"scope": "admin write delete"
}'
OAuth2 Endpoints
| Endpoint | Method | Type | Description |
|---|---|---|---|
| /web/oauth2/login | GET | Web | Landing page with flow overview |
| /web/oauth2/authorize | GET/POST | Web | Authorization + consent screen |
| /web/oauth2/callback | GET | Web | Receives auth code, interactive token exchange |
| /web/oauth2/profile | GET | Web | Protected resource (Bearer token or ?token=) |
| /api/v1/oauth2/token | POST | API | Token endpoint (authorization_code + client_credentials) |
| /api/v1/oauth2/userinfo | GET | API | User profile (requires Bearer token) |
Try it: Authorization Code (curl)
After completing steps 1-3 in the browser above, copy the authorization code from the callback URL and run:
# Step 4: Exchange the authorization code for an access token curl -X POST http://localhost:5000/api/v1/oauth2/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "authorization_code", "code": "<AUTH_CODE_FROM_STEP_3>", "client_id": "vulapp-client-001", "client_secret": "super-secret-client-secret", "redirect_uri": "/web/oauth2/callback" }' # Response: # { # "access_token": "a1b2c3d4e5f6...", # "token_type": "Bearer", # "expires_in": 3600, # "scope": "read profile" # }
# Step 5: Use the token to access protected resources curl http://localhost:5000/api/v1/oauth2/userinfo \ -H "Authorization: Bearer <ACCESS_TOKEN>" # Response: # { # "sub": "admin", # "username": "admin", # "email": "admin@vulapp.local", # "scope": "read profile" # }
Intentional Vulnerabilities
-
1
Open Redirect —
redirect_uriis never validated. An attacker can change it to any URL to steal authorization codes. -
2
No CSRF Protection — The
stateparameter is passed through but never validated server-side. - 3 Auth Code Replay — Authorization codes are not invalidated after use and can be exchanged for tokens multiple times.
-
4
No Client Secret Validation — The token endpoint accepts any value (or none) for
client_secret. -
5
Token in Query String —
/web/oauth2/profile?token=...is accepted, leaking tokens in logs and Referer headers. - 6 Predictable Auth Codes — Codes are generated with MD5(username + timestamp), making them guessable.
-
7
Unrestricted Scopes (Client Credentials) — The client_credentials grant accepts any
scopevalue without validation. Requestadminorwrite deleteand it will be granted.
Drawing Tools
GeoSketcher
Interactive geometric shape drawing tool with snap-to-point functionality
Geometry
Polar Plotter
Create beautiful spirograph patterns with rotating lines
Visualization