One of the most basic bugs present in insecure OAuth 2.0 implementations is the possibility of redirecting users to an attacker-controlled server by sending their authentication tokens along with it.
Those who are more familiar with OAuth will know that OAuth requests have several parameters, each with a specific functionality. If the configuration is done insecurely, it is possible to manipulate the redirect_uri parameter and assign it arbitrary values. A common defense mechanism is to validate whether the URI begins with the URL of the legitimate domain. However, an attacker simply needs to register a domain that begins with the domain name to bypass this validation.
https://accounts.redacted.com/api/auth?response_type=code&redirect_uri=http%3A%2F%2Fredacted.comattacker.com%2Fapi%2Fauth%2Fcallback&state=REDACTED&client_id=REDACTED&filter_callback=
To mitigate this vulnerability, the best thing to do is to validate the redirect_uri parameter completely, and not just checking if it starts with a specific term.
Top comments (0)