Redox OAuth PoC — Attacker Callback

HackerOne redox_bbp • Unauthenticated Dynamic Client Registration HIGH

Captured Parameters

Authorization Code
Loading...
State
Loading...
Full Callback URL
Loading...

Attack Chain

1
Register OAuth client (no auth required)
POST /platform/v1/oauth/register → 201 with client_id + client_secret CONFIRMED
2
Craft authorization URL with attacker redirect_uri
Points to legitimate Redox consent page at 10x.redoxengine.com/#/oauth/authorize
3
Victim approves consent → authorization code sent here
Waiting for victim to click Authorize...
4
Exchange code for token with platform_access scope
POST /platform/v1/oauth/token → access_token + refresh_token

Impact

With the captured authorization code, the attacker exchanges it for a platform_access token that inherits the victim's full permissions: