OAuth - MindMap to Exploit All

on

 OAuth Vulnerabilities

├── Redirect URI Attacks

   ├── Open Redirect (steal code)

   ├── Wildcard redirect abuse

   └── Redirect URI Manipulation

├── CSRF & State Attacks

   ├── Missing or predictable `state`

   ├── Login CSRF (session swapping)

   └── No origin verification

├── Authorization Code Issues

   ├── Code Reuse

   ├── Long-lived codes

   └── Code leaked in logs / referrer

├── Token Misuse & Replay

   ├── Access token replay

   ├── Token leakage in URL

   ├── Over-privileged access (scope abuse)

   ├── No audience (`aud`) claim validation

   └── Refresh token abuse

├── Integration Weaknesses

   ├── Misconfigured trust between client & provider

   ├── IDP Confusion (wrong provider trust)

   └── Unvalidated token issuer or audience

├── PKCE/Implicit Flow Abuse

   ├── Missing PKCE in mobile apps

   ├── Implicit flow used in web (tokens in URL fragment)

   └── No secure storage of token (e.g., localStorage)


========================================================================

OAuth – Key Points

  • Full form: Open Authorization

  • Used for: Accessing data from one app via another (without password)

  • Why: Safe, token-based access to user data

🔧 Flow Summary (Auth Code Grant)

  1. User clicks “Login with Google”

  2. App redirects to Google

  3. User approves access

  4. Google sends back a code

  5. App exchanges code for an access token

  6. App uses token to access user data (email, profile)

🔐 Key Components

ComponentRole
Resource Owner        You (the user)
Client                         The app requesting data
Auth ServerWho logs you in (e.g. Google)
Resource ServerWhere data lives (e.g. Gmail API)

📦 Tokens

  • Access Token: Used to call APIs (short-lived)

  • Refresh Token: Used to get a new access token (long-lived)






============================================================

OAuth Attack: Redirect URI Manipulation

✅ What it is:

Trick the OAuth provider into sending the code or token to an attacker-controlled URL.

🧨 Attack Flow:

  1. Attacker crafts OAuth URL with redirect_uri=https://attacker.com

  2. Sends to victim via phishing/social engineering

  3. Victim logs in and approves

  4. OAuth provider redirects ?code=xyz to attacker’s site

  5. Attacker exchanges code for access token

  6. ✅ Gains access to victim's data

🧠 Why it works:

  • App allows wildcard or unvalidated redirect URIs

  • OAuth provider does not enforce strict redirect_uri match

🧪 Real-world example:

Uber OAuth bug: *.uber.com was allowed → attacker registered a subdomain → stole codes → got tokens

🔐 Defense:

MitigationReason
✅ Exact redirect_uri match    Prevents redirect tampering
✅ No wildcards (*.demo.com)    Stops subdomain hijack
✅ Server-side allowlist        Validates redirect URI strictly
✅ Use state param    Blocks CSRF chaining with this attack


===========================================================




Comments

Post a Comment