Insecure Redirect URI

Account Takeover by Insecure Redirect URI

Overview of the Vulnerability

OAuth is an authorization framework used to identify and authenticate users for an application. There are a number of implementation misconfigurations which can lead to an OAuth framework being implemented insecurely that an attacker can leverage to take over multiple user accounts and manipulate or retrieve data.

The application fails to validate the redirect_uri parameter used within the OAuth workflow. This redirect URI is where the user is redirected to after being authorized. When the redirect_uri parameter is not validated, an attacker is able to change this URI to a domain they own. As a consequence, when the OAuth workflow is triggered, the legitimate user’s browser sends the authorization token to the attacker-controlled domain, allowing the attacker to take over the user’s account.

Business Impact

Account takeover can lead to financial and loss through an attacker's access to multiple user accounts and the data within. This attack can also lead to reputational damage for the business through the impact to customers’ trust in the security of the application.

Steps to Reproduce

  1. Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP

  2. Use a browser to navigate to: {{URL}}

  3. With the HTTP intercept proxy turned on, login to the application and capture the response in the the HTTP intercept proxy

  4. Change redirect_uri to the following value:

{{parameter}}

  1. Observe that the authorization token is sent to server altered in the previous step

Proof of Concept (PoC)

The screenshot below demonstrates a successful account takeover:

{{screenshot}}

Recommendation(s)

There is no single technique to stop OAuth misconfigurations from occurring. However, securely implementing the OAuth workflow with the right combination of defensive measures can prevent and limit the impact of these OAuth misconfigurations. Some best practices include the following:

  • Ensure that parameters within the OAuth workflow are validated, including the redirect_uri parameter. This can be performed through a strict allow list.

  • Enable Cross-Site Request Forgery (CSRF) validation on endpoints

  • Thoroughly validate input and use other preventative controls to limit Cross-Site Scripting (XSS). See the Open Web Application Security Project’s (OWASP) XSS prevention cheat sheet for more details: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

PreviousAccount TakeoverNextMissing State Parameter

Last updated