1. Web Security Academy
  2. OAuth authentication
  3. OpenID Connect
  4. Lab

Lab: SSRF via OpenID dynamic client registration


This lab allows client applications to dynamically register themselves with the OAuth service via a dedicated registration endpoint. Some client-specific data is used in an unsafe way by the OAuth service, which exposes a potential vector for SSRF.

To solve the lab, craft an SSRF attack to access and steal the secret access key for the OAuth provider's cloud environment.

You can access your own account using the following credentials: wiener:peter


To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server (burpcollaborator.net).