Skip to main content


Showing posts from January, 2015

Top 5 OAuth 2 Implementation Vulnerabilities

Heya, back to my favourite topics namely OAuth .
I have previously discussed about common  OAuth 2 Implementation Vulnerabilities but now it is time (maybe) to list those and order them based on their criticality.

#5 The Postman Always Rings Twice  I have introduced this 'attack' in last year post . This is for provider implementer, it is not extremely severe but, hey, is better to follow the spec. Specifically

The client MUST NOT use the authorization code  more than once.  If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.

It turned out that even Facebook and Googledid it wrong... :)

#4 Match Point To all OAuth Providers be sure to follow section 4.1.3 of the spec in particular

...if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that t…