OAuth Web Application Security Scanner
This is a tool for scanning the vulnerabilities of the OAuth2.0 implementations on the web. According to the multipart (ie, Client, User, Authorization Server and Resource Server) interations, serveral attacks has been divided.
Install and start the server of mongodb.
mongod -dbpath /tmp/mongodata/ -logpath /tmp/mongodata/mongo.log -logappend -fork -port 27017
Install the requirements.
pip install -r requirements.txt
- CSRF.
- Scope Privilege Escalation.
- Open Redirection.
- Same Original Redirection with Referer.
- Authorization Code Middle Attack.
- Covert Redirection.
- Same Original Redirection with XSS.
- Access Token Middle Attack.
- Same Original Redirection with remote image.
- OAuth API Crawing.
Use -h options to see all the usage.
The API to be detected is best given in the following JSON format. If you think it is complex, you can also provide only one url with -u options instead. It will consume more time and get a false negative result.
exec the command
python oscan.py -r example.json
python oscan.py -u http://api.xxx.com/xxx
In https://en.wikipedia.org/wiki/List_of_OAuth_providers sumarizes many oauth provider. The corresponding OAuth API prefix can be extracted to identify OAuth APIs in websites.
data/provider.txt
| OAuth Provider | OAuth API format |
|---|---|
| 500px | api.500px.com/v1/oauth/request_token |
| Amazon | www.amazon.com/ap/oa |
| AOL | api.login.aol.com/oauth2/request_auth |
| Autodesk | developer.api.autodesk.com/authentication/v1/authorize |
| Basecamp | launchpad.37signals.com/authorization/new |
| Battle.net | battle.net/oauth/authorize |
| Bitbucket | bitbucket.org/site/oauth2/authorize |
| www.facebook.com/v3.1/dialog/oauth | |
| GitHub | github.com/login/oauth/authorize |
| accounts.google.com/signin/oauth | |
| Sina Weibo | api.weibo.com/oauth2/authorize |
| ... | ... |