The purpose of this section is to provide a quick checklist when testing the security posture of an OAuth implementation.
Is the state parameter being used during the OAuth Flow?
state
Test the redirect_uri validation logic
redirect_uri
Is some form of partial/fuzzy-match occurring? E.g. Only domain is validated, subdomain and domain, strict match meaning including the path and nothing behind it? Etc. While this is necessarily not a vulnerability itself, weak validation logic can be leveraged to chain an attack.
In cases where you can register an OAuth Client
Does the Authorization Server prevent Client A from using an authorization token that was generated by Client B?
Does the Resource Server prevent Cilent A from using an access token that was minted for Client B?
In the case of an Authorization Code grant, can the code be exchanged multiple times for a token?
If the Authorization Server issues a JWT in the form of an access token:
Is the JWT signed correctly?
Even in cases where it looks it is, there can be scenarios such as ECDSA Nonce Reuse which arises when a developer tries to roll their own crypto.
Look into other misconfigurations that stem primarily from JWT, great resource.
If the Authorization Server supports Revocation, can Client A revoke Client B's token?
In the case of Dynamic Client Registration, some Authorization Servers allow a Client to send an authenticated request to see its configuration details. Test IDOR to see if Client A can see information about Client B.
Is the OAuth implementation (primarily the Authorization Server) custom or is it using a service such as Auth0 or Okta? Is it using some commercial off the shelf software like Forgerock?
If its an established service provider, time might be better spent probing the Client (unless the intention is to find a vulnerability within the service provider).
Ensure to test common vulnerabilities found in the OWASP Top 10 across all moving pieces of the OAuth architecture...
Verify that long lived tokens aren't being used. Does the Authorization Server support Revocation?
Verify that the access tokens are being stored securely, are they being stored in a cookie without the HTTPOnly flag? Or possibly in the browser's localStorage?
Last updated 1 year ago