OAuth Vulnerabilities and Attack Patterns
Study redirect URI manipulation, CSRF on the authorization endpoint, and token leakage vulnerabilities.
Open Redirect in redirect_uri
OAuth authorization servers must strictly validate the redirect_uri parameter. If the server allows prefix matching or wildcard matching (e.g., accepting any URL starting with "https://app.example.com"), an attacker crafts an authorization request redirecting to "https://app.example.com.attacker.com/steal" or an open redirect on the legitimate domain, stealing the authorization code.
CSRF on the Authorization Endpoint
Without CSRF protection, an attacker can initiate an OAuth flow and trick a victim's browser into completing the authorization. The victim inadvertently authorizes the attacker's client. The "state" parameter (RFC 6749) prevents this: the client generates a random state, includes it in the request, and verifies it matches in the callback. A mismatch aborts the flow.
All lessons in this course
- OAuth 2.0 Flows and Token Types
- PKCE: Securing Public Clients
- OpenID Connect Claims and ID Tokens
- OAuth Vulnerabilities and Attack Patterns