Masked Menace: How a Fake OAuth App and a Loose GraphQL Endpoint Stole the Real Keys
1 min read
Summary
During a regular reconnaissance scan, the author found a suspicious domain: auth-api.target.com.
After a closer investigation, it was found that the domain was sitting behind an OAuth authorisation flow, which should have been a warning sign that there were secrets to be found.
The author then used the following command to dig deeper: subfinder -d target.com | httpx -title -status-code -content-length -mc 200.
This command can be used to find web servers that are open and accessible and to discover more information about the domain.
Out of these came a number of suspicious-looking domains, one of which was found to be sitting on a GraphQL endpoint.
While there was no obvious vulnerability, the author decided to dig deeper.