Grabbing OAuth Token via redirect_uri

Redirect to a controlled domain to get the access token.


OAuth implementations should never whitelist entire domains, only a few URLs so that "redirect_uri" can’t be pointed to an Open Redirect.

Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:


Executing XSS via redirect_uri


OAuth private key disclosure

Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.

Cross-Site Request Forgery

Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (https://example.com/callback?code=AUTHORIZATION_CODE). This URL can be used in CSRF attacks.

Last updated