- Open Redirection to OAuth token stealing: changing redirect_uri to bing.com; use IDN Homograph; other bypasses.
- Change Referral header to bing.com while requesting OAuth.
GET /oauth/token/google HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
...
Referer: https://evil.com
- Pre Account Takeover: Create an account with victim@gmail.com with normal functionality. Create account with victim@gmail.com using OAuth functionality. Now try to login using previous credentials.
- OAuth Token Re-use.
- Missing or broken state parameter (CSRF Bypass)
- Lack of origin check (Lack_Of_Origin_Check.html)
- Open Redirection on another endpoint ---> Redirect to that endpoint via redirect_uri
- Look for additional parameters in the requests. For example, if there is an email parameter after signin (i.e. code=OAUTH_TOKEN&state=ANTI.CSRF.TOKEN&email=attacker@gmail.com) then try to change the email parameter to victim's email.
- Try to remove email from the scope and add victim's email manually.
- Only company's email is allowed? Replace
hd=company.comtohd=gmail.com - Check for client_secret parameter in burp search/github dorking.
- Go to the browser history and check if the token is present in the history.
- Facebook OAuth Misconfiguration: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts