OAuth Misconfiguration
detect, understand, remediate
OAuth misconfigurations, including open redirect URIs, missing state parameters, and implicit flow token exposure, enable attackers to steal authorization codes, hijack accounts, and access protected resources.
No credit card required. Free plan available forever.
What is OAuth misconfiguration?
OAuth misconfiguration refers to a class of security vulnerabilities that arise from improper implementation of the OAuth 2.0 and OpenID Connect authorization protocols. OAuth is designed to allow third-party applications to access user resources without exposing credentials, but incorrect configuration of redirect URIs, state parameters, token handling, or scope validation can allow attackers to steal authorization codes, access tokens, or achieve full account takeover. These vulnerabilities are classified under CWE-346 (Origin Validation Error) and represent a significant threat to any application that relies on OAuth for authentication or authorization.
The complexity of OAuth flows creates a large attack surface. Authorization code flow, implicit flow, client credentials, and device code grants each have distinct security requirements. When developers fail to implement protections like PKCE (Proof Key for Code Exchange), strict redirect URI matching, or anti-CSRF state parameters, attackers can exploit these gaps to intercept tokens. Combined with open redirect vulnerabilities, OAuth misconfigurations become especially dangerous because attackers can redirect authorization responses to domains they control.
OAuth misconfiguration vulnerabilities are prevalent across the industry because the protocol specification offers considerable flexibility in implementation. Many applications use the deprecated implicit flow that exposes tokens in URL fragments, allow wildcard redirect URIs that can be abused, or fail to validate that scopes requested at authorization match those actually needed. The impact ranges from unauthorized data access to complete account takeover, particularly when the OAuth provider is used as the sole authentication mechanism. Assessing OAuth security requires thorough testing of all flow parameters, which benefits from systematic evaluation using tools like the CVSS calculator to quantify risk.
How it works
Analyse the OAuth flow
The attacker examines the application's OAuth implementation, identifying the grant type used, redirect URI patterns, state parameter handling, and token storage mechanisms.
Identify misconfiguration
The attacker discovers a weakness such as a wildcard redirect URI, missing state parameter, use of implicit flow, or authorization code reuse that can be exploited to intercept tokens.
Steal authorization code or token
By exploiting the misconfiguration (e.g. redirecting the OAuth callback to an attacker-controlled endpoint), the attacker captures the victim's authorization code or access token.
Account takeover
The attacker exchanges the stolen authorization code for an access token or uses the captured token directly to impersonate the victim and access their account and data.
Common causes
Wildcard redirect URIs
Configuring redirect URI validation with wildcard patterns (e.g. *.example.com) or prefix matching, allowing attackers to register subdomains or exploit path-based bypasses to capture authorization responses.
Missing state parameter (CSRF)
Omitting the state parameter in authorization requests, enabling cross-site request forgery attacks where an attacker initiates an OAuth flow with their own authorization code to link their account to the victim's session.
Implicit flow token leakage
Using the deprecated implicit grant type that returns access tokens directly in URL fragments, exposing them through browser history, referrer headers, and client-side JavaScript access.
Insufficient scope validation
Failing to validate or restrict the scopes requested during authorization, allowing applications to request broader permissions than necessary or attackers to escalate scope during the authorization flow.
How to detect it
Automated detection
- SecPortal's authenticated scanner tests OAuth endpoints for redirect URI validation bypass techniques, including subdomain manipulation, path traversal, and parameter pollution
- State parameter verification testing confirms whether the application generates and validates unique state values for each authorization request to prevent CSRF attacks
- Token exposure analysis checks for access tokens in URL fragments, browser history, referrer headers, and client-side storage that indicate use of insecure grant types
Manual testing
- Modify the redirect_uri parameter with variations (adding paths, changing subdomains, using URL encoding) to test whether the server performs strict or loose URI matching
- Initiate OAuth flows without a state parameter or with a static state value, then verify if the server accepts the callback without proper CSRF validation
- Test authorization code reuse by capturing a code and attempting to exchange it multiple times, and verify that tokens have appropriate expiration and scope restrictions
How to fix it
Enforce strict redirect URI matching
Validate redirect URIs using exact string comparison rather than pattern matching or prefix checks. Register all allowed redirect URIs explicitly and reject any request with an unregistered URI.
Always use state and PKCE parameters
Generate a unique, cryptographically random state value for each authorization request and validate it on callback. Implement PKCE (Proof Key for Code Exchange) for all public clients to prevent authorization code interception.
Prefer authorization code flow over implicit
Use the authorization code grant type with PKCE instead of the deprecated implicit flow. The authorization code flow keeps tokens out of URL fragments and browser history, significantly reducing the attack surface.
Validate and restrict scopes
Define the minimum required scopes for each client application and enforce them server-side. Reject authorization requests that ask for broader permissions than the client is registered for.
Issue short-lived tokens with refresh capability
Configure access tokens with short expiration times (minutes, not hours) and issue refresh tokens for long-lived sessions. Implement token rotation so that each refresh token can only be used once, detecting token theft through reuse detection.
Compliance impact
Audit your OAuth implementation
SecPortal tests redirect URI validation, state/PKCE enforcement, token handling, and scope validation across your OAuth flows. Start free.
No credit card required. Free plan available forever.