OAuth
Grabbing OAuth Token via redirect_uri
Redirect to a controlled domain to get the access token.
OAuth implementations should never whitelist entire domains, only a few URLs so that "redirect_uri" can’t be pointed to an Open Redirect.
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
Executing XSS via redirect_uri
OAuth private key disclosure
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
Cross-Site Request Forgery
Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (https://example.com/callback?code=AUTHORIZATION_CODE
). This URL can be used in CSRF attacks.
Last updated