Posts
OAuth client credentials. How to find and utilize them for the bug bounty
OAuth client credentials grant type is a way how to OAuth application can authenticate itself.
Access to some admin endpoints with OAuth client credentials
The target is a fintech company that can centralize payments for companies and employees.
The diffskip tool for JS files
I monitor changes in target main scripts to find new features or juicy things like keys, tokens, or new endpoints. Because primarily it is black-box testing, the JS files are minified and contain much garbage in their diffs.
Access to all users data with OAuth client credentials
It is a real-world example of the OAuth client credentials attack vector.