OAuth Misconfiguration

Overview of the Vulnerability

OAuth is an authorization framework used to identify and authenticate users for an application. There are a number of implementation misconfigurations which can lead to an OAuth framework being implemented insecurely. These misconfigurations can lead to a broad range of issues which could allow an attacker to manipulate or retrieve sensitive data and potentially bypass the authentication process.

Business Impact

Depending on the type of misconfiguration found in the OAuth implementation, exposure or manipulation of data from within it could lead to financial loss and reputational damage for the business.

Steps to Reproduce

Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP
Use a browser to navigate to: {{URL}}
With the HTTP intercept proxy turned on, login to the application and capture the response in the the HTTP intercept proxy
Observe the OAuth misconfiguration

Proof of Concept (PoC)

The screenshot below demonstrates the OAuth misconfiguration:

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For an OAuth misconfiguration vulnerability, please include a screenshot or video to easily demonstrate and reproduce the issue. In the Steps to Reproduce section, please include additional steps needed to uncover the misconfiguration you have identified.

Attempt to escalate the misconfiguration to perform additional actions (such as an account takeover or insecure redirection). If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

There is no single technique to stop OAuth misconfigurations from occurring. However, securely implementing the OAuth workflow with the right combination of defensive measures can prevent and limit the impact of these OAuth misconfigurations. Some best practices include the following:

Ensure that parameters within the OAuth workflows are validated
Enable Cross-Site Request Forgery (CSRF) validation on endpoints
Thoroughly validate input and use other preventative controls to limit Cross-Site Scripting (XSS). See the Open Web Application Security Project’s (OWASP) XSS prevention cheat sheet for more details: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

PreviousSMS Triggers NextAccount Squatting

Last updated 1 year ago