OAuth Token Leakage via Referer - DFL-028-25

This application demonstrates OAuth token leakage through the HTTP Referer header.

How It Works

1. After OAuth login, the user is redirected to /dashboard?token=ACCESS_TOKEN
2. The dashboard page includes an external tracking pixel: <img src="/api/track/pixel.gif">
3. The browser sends the full dashboard URL (including the token) as the Referer header
4. The tracking endpoint logs the Referer, exposing the access token

Endpoints

• POST /api/login - Login (JSON: username, password). Returns redirect URL with token.
• GET /dashboard?token=X - Dashboard page (includes tracking pixel)
• GET /api/track/pixel.gif - Tracking pixel that logs Referer header
• GET /api/logs - View all logged Referer headers (tokens may be leaked here)
• GET /api/flag?token=X - Get flag with admin token

Login

Credentials

• admin / admin-secure-pass
• user1 / password123