OAuth2

potential attacks

weak redirect_uri configuration

• other parameters might be vulnerable too: client_uri, policy_uri, tos_uri, initiate_login_uri
• .well_known/openid-configuration/ can contain information about endpoints

xss in redirect implementation

state parameter is not random

• does not work as CSRF protection anymore
• send your registration link to their account
• allow login with your additional external account

pre-account takeover

• try to create one account before the use links their account
• now the new user account is linked to an existing attacker account

Referer Header leaking Code + State

Everlasting authorization code

pkce

• adds a code_challenge / verification to the Oauth2 flow
• prevents a captured code from being used to gain the access token
• references
  • Authorization Code Flow with Proof Key for Code Exchange (PKCE)
  • [Proof Key for Code Exchange by OAuth Public Clients]https://www.rfc-editor.org/rfc/rfc7636

references

• https://book.hacktricks.xyz/pentesting-web/oauth-to-account-takeover
• https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html