Home

Awesome

OAUTHScan

Description

OAUTHScan is a Burp Suite Extension written in Java with the aim to provide some automatic security checks, which could be useful during penetration testing on applications implementing OAUTHv2 and OpenID standards.

The plugin looks for various OAUTHv2/OpenID vulnerabilities and common misconfigurations (based on official specifications of both frameworks), many of the checks have been developed according with the following references:

Below a non-exhaustive list of checks performed by OAUTHScan:

Installation

First download (or clone) the OAUTHScan repository from this repo. Then build it using gradle command: gradlew build fatJar. Finally use the Burp GUI Extender tab to import the generated 'OAUTHscan-all-X.Y.jar' file (located on "build/libs/" project folder).

Usage

OAUTHScan is fully integrated with the Burp Scanner, after installed on Burp you have only to launch Passive or Active scans on your targeted request.

Author

GNU License

Copyright (c) 2022 OAUTHScan

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/